Re: MASQUERADE problem
At 08:09 PM 10/22/01 +0200, you wrote: The line iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE should be using interface eth1 not ppp0 as you (probably) don't have a ppp interface. Also you should add this echo 1 > /proc/sys/net/ipv4/ip_forward to enable IP forwarding. The redirect line isn't needed to do MASQ, the above 2 lines alone should do it. Dave >Hi all, > >I've installed a router with linux (a pc with an internet connection). I >would like share this connection with the others pc on my network, but it >doesn't work. COuld anyone help me ? > >This my config : > >eth0 (10.0.0.1) connected to internet >eth1 (192.168.0.1) connected to the rest of my lan > >on my second pc (192.168.0.12), i've defined the default gateway as >192.168.0.1. > >On the router, I have done the following : > >iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE >iptables -t nat -A PREROUTING -i eth0 -j REDIRECT > >When the pc tries to ping an address on the internet, there is a message >'network unreachable' > >What shall I do to make it work ? > >Best regards -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Survey .. how many domains do you host? (Now RAID)
Contrary to popular belief the Highpoint chipsets are only software RAID. The driver uses processor time to actually do the RAID work. The chip is just an IDE controller. Based on that even if it isn't supported at a RAID level you can still use the software RAID avaliable in linux as the kernel has had standard IDE drivers for the highpoint for a while now Hope this helps At 08:35 AM 11/3/01 +1100, you wrote: >On the topic of RAID... > >does anyone know if the HighPoint RAID chipsets are supported YET? > >BSD has had support for this for ages... linux in the game yet? > >Sincerely, >Jason > >- Original Message - >From: "James Beam" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Saturday, November 03, 2001 6:07 AM >Subject: Re: Survey .. how many domains do you host? > > > > Wouldn't something like this totaly depend on the hardware resources and > > general config/maintenance of the server? > > > > I can tell you that one of my servers running an older copy of >qmail/vchkpw > > is running over 800 domains with lots of steam to spare (each domain is > > minimal traffic). Hardware is a PIII733 w256MB ram and 30GIG EIDE drives > > (promise mirror) > > > > - Original Message - > > From: "alexus" <[EMAIL PROTECTED]> > > To: "Steve Fulton" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > Sent: Friday, November 02, 2001 11:49 AM > > Subject: Re: Survey .. how many domains do you host? > > > > > > > um.. m'key.. > > > > > > you should've state that before so no one would get wrong thoughts >(like i > > > did) > > > > > > - Original Message - > > > From: "Steve Fulton" <[EMAIL PROTECTED]> > > > To: "alexus" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > > Sent: Friday, November 02, 2001 1:58 AM > > > Subject: Re: Survey .. how many domains do you host? > > > > > > > > > > > and who are you to do such a survey? > > > > > > > > Down boy! Down! LOL! > > > > > > > > No need to snap, I'm doing this because a PROGRAM I AM WRITING has > > > > VARIABLES that need to be defined to a certain array size, as they >will > > > hold > > > > FQDN's. In order to make this program universally useful, I would >like > > to > > > > know the maximum number of domains that has been (realistically) >hosted > > on > > > > one server. > > > > > > > > K? > > > > > > > > -- Steve > > > > > > > > http://www.zentek-international.com/ > > > > > > > > > > > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rogue Chinese crawler
I'm sure it's been said before but why not just configure iptables to drop the packets from 139.175.250.23? Then it CAN'T connect At 07:34 PM 11/24/01 +, Martin WHEELER wrote: >On Sat, 24 Nov 2001, Hereward Cooper wrote: > > > > Despite what I put in any robots.txt, this one disregards all rules and > > > just jams up my system, downloading every damn' thing in sight. > > > Mails to the owners are totally disregarded. > > > > Have you actually seen: > > http://www.openfind.com.tw/robot.html > > > > It talks about the robot and how to get it to stop accessing your site. > >Hereward -- did you read my first paragraph? >(But to answer your question -- yes -- _of course_ I've actually seen >the robot.html page.) >The site tacitly admits that people are having difficulty getting rid of >the 'bots -- and DESPITE applying every fix so far suggested to me, this >is from tonight's access.log: > >robot12.openfind.com - - [24/Nov/2001:18:38:27 +] "GET >/familycentury/twins/ HTTP/1.0" 200 3054 "-" "Openfind data gatherer, >Openbot/3.0+([EMAIL PROTECTED];+http://www.openfind.com.tw/robot.html)" > >OK? >(Mind you, I may slowly be working my way through killing off 16 >different 'bots, but I'm still leery.) I seem to have reduced it to 5 >hits per attack -- instead of 45 minutes continuous lockup, as >experienced yesterday -- but it seems to be ignoring all attempts to >keep it out of my system. > > From off-list correspondence I know I'm not the only victim, either. >Degree of annoyance varies from site to site (possibly dependent on >overall site setup). > >Martin >-- > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Qmail and Stunnel
Hi All I've just setup qmail to run over stunnel for POP on port 995. Below is the command I use to run it #!/bin/sh exec /usr/local/bin/softlimit -m 300 /usr/local/bin/tcpserver -DRHv -l 0 0 995 /usr/sbin/stunnel -l /var/qmail/bin/qmail-popup /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir 2>&1 The first time I checked with Outlook Express I was prompted with the certificate warning etc. I accepted that and now get this error after having the login/password windows popup several times (because of the failure) There was a problem logging onto your mail server. Your Password was rejected. Account: 'dave', Server: '192.168.20.251', Protocol: POP3, Server Response: '-ERR this user has no $HOME/Maildir', Port: 995, Secure(SSL): Yes, Server Error: 0x800CCC90, Error Number: 0x800CCC92 My concern is the no $HOME/Maildir, but I can't understand why it's not working. Standard logins to port 110 are fine. Basically all I did was copy my run script from the normal POP service and change the port tcpserver listens on and add the stunnel command. Thanks Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: blocking ports
Firstly look through the services you run and see if they can be bound to a single interface only. If they run from inetd you can replace it with xinetd to gain this functionality. Secondly (and this may or may not work I've never actually tried it), you could try rejecting the packets rather than dropping them. That should return a port closed type message to nmap so it would be unable to tell that port it filtered. At 08:34 10/01/2002 -0700, David Bishop wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >I'm running a server that's hot to the net, and running some insecure >services (by necessity), like nfs. Of course, I used iptables to block all >those ports, using nmap and netstat to double check all my open ports. >However, what nmap reports back is "filtered" for those ports. I would >prefer if I could somehow make it so that they are "closed" to the outside >world, so that random j. hacker doesn't know that I'm running that service at >all. Is there some way to do that, or do I just live with "filtered"? > >TIA and HAND! > >- -- >D.A.Bishop >-BEGIN PGP SIGNATURE- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: For info see http://www.gnupg.org > >iD8DBQE8PbSkEHLN/FXAbC0RAujUAJ0V5VD9ct2NbznFwtg4+j6D/rtmzACdEFDy >EUlPKvw//odhMmweQ5Yx5dw= >=3oEF >-END PGP SIGNATURE- > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Multiple dhcp servers.
At 11:54 25/01/2002 +, Fred Clausen wrote: >Hi all, > >At the moment I have one dhcp server running ISC dhcpd, and its working >fine. However I wish to add another in case the main one goes down. Is it >as simple as setting it up on another machine with similar config? My >worry is that a client will request an address and both server's will >respond, potentially causing problems. Is there a master/slave setup I can >use? Or shall I simply set up a second one. As far as I know this isn't possible for a few reasons. The lease table for IP's already allocated is stored in a file on the system. To have failover your second machine would have to have a copy of this file locally. Secondly as you mentioned both servers will respond and whichever machine reply get to the client first is the one it will accept. If you could get the dhcpd.lease filesynced in realtime it should be possible.. but it would be messy at best. I haven't looked into this for a while and there maybe a better way to do it now. The other option is have the second machine as a complete failover and use a heartbeat much like the current mailserver thread is going Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Weird SMP problem
On older Asus Dual boards you needed to disable MPS 1.4 in the BIOS otherwise you would get lock ups. I haven't tested this on the newer boards but it might be worth trying. Also make sure the PSU has enough power, a 300watt should be enough for the second machine. Finally are you using ECC memory? At 19:23 31/01/2002 +0100, Marcin Owsiany wrote: >Hi! > >Imagine the following configurations: > >machine1: > - 2 x Pentium III 800MHz > - CUV266-D Asus motherboard (VIA VT8633/8233) > - 1 GB DDR RAM > - SCSI storage controller: Adaptec 7892A > - 2 x IBM HDs (Model: DDYS-T09170N) > >machine2: > - the same CPUs, motherboard and RAM as in machine1 > - FUJITSU MPF3153AH, ATA DISK drive > > >Both machine1 and machine2 run Linux 2.4.17 SMP > >machine1 runs Debian potato + Adrian Bunk's packages needed to run >2.4.x kernel + a bit patched version of qmail > >machine2 runs Debian woody + the same version of qmail > > > >machine2 runs well (we did some stress tests like injecting a few >thousand of messages into qmail and compiling the kernel with -j 2) > >As for machine1, it boots nicely, switches into runlevel 2 and then, >about 4 or five seconds after qmail starts - freezes completly (not even >keyboard LEDs blink). > >This is the weirdest thing about that. We started it in single user mode, >it fsckd all filesystems, we deleted all links in /etc/rc2.d, removed >/etc/nologin*, proceeded to runlevel 2 and then manually started the >services one-by-one, waiting a minute or so after each one started to >check if the machine is still responsive. And again it freezed >a few seconds after starting qmail (while the disks were still churning as it >processed its queue). > >The SCSI controller and disks _are_ ok, since it has ran flawlessly on a >non-SMP system for some year or so (and actually still runs as I type >these words). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: RAID Suggestion for webserver
Hi All RAID 0 gives the best read and write performace as the data is striped across the drives. RAID 1 gives the same write performace as a single drive but read performance is faster than a single drive (as there are always 2 drives that the data can be read from, hence the controller can choose the drive not being accessed / with it's head closest to the needed data. RAID5 give read performance a boost for the same reason as RAID0, but write performance is only slightly faster than a single drive as the array must 'stop' while the controller calculates the parity bit and writes that to a drive. Overall the chances of 2 drives failing at the same time a very small and if they do you look to your backup. Also running all your services on one box will be fine for a small setup, but if you have big plans you will quickly run our of processing power (especially with a database on the box). It would seem unlikley that the HDD transfer speed will be the bottleneck. At 02:53 14/02/2002 +0800, Jason Lim wrote: > > It shouldn't be any worse write performance than RAID-5, and read >performance > > should be good! > > > >With RAID 5, isn't the data distributed (along with parity data) to the >various disks, while with RAID 1 the whole data is written to all disks? >I'm guessing that each disk writing only part of the data to each disk >would lead to faster performance (as long as the controller can handle >sending the data to all the disks that fast). > >Read performance... if it is RAID 1 i suppose it would depend on how good >the read algorithm is? Worst case it would be the same as a single disk. >But if it is RAID 5, wouldn't it only need to read a bit of the data from >each disk (to build up the complete data)? > >(I may be wrong with the above information, i'm no raid expert). > > > Instead of having one server for 50 accounts which does everything, why >not > > have different servers for different services? Then you could have >three web > > servers for several thousand domains instead of getting a new server for > > every 50... > > > >I could see a lot of headache doing it that way, including user >authentication and how to tie all the services together in a nice neat >package that is easy to manage/maintain. Virtually all the publically >available solutions (Plesk, Hostplus, etc.) do it on a per-server basis, >and that would include Cobalt's Raqs. > >I suppose if we have many thousands of accounts it would be more >economical to do it your way (seperate mail server, ftp server, auth >server, www server, database server, etc. each specialized in both >software and hardware) but we don't have THAT many customers ;-) Mostly >we put lower-end clients on servers with 100-200 or so clients, with >higher end clients on servers with 50 or less. Works out pretty well that >way, as you can then artificially "manage" the performance you give >clients (of course, this is not direct control, but it achieves the same >goal). > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: RAID 0 risky ?
Technically speaking drives don't _wear_ out... Bad sectors are generated because at some time the disk surface has been damaged, usually by the heads hitting the disk. And many faults to do with the components on the controller board can be traced to a poor supply of power (eg spikes and brownouts, a UPS will help resolve this) Other than that, RAID 0 is more risky than a single drive as you have no fault tolerance (one drive fails and you lose all the data on al the drives), and you have three times the chance that one of the drives will bomb for whatever reason. Since it is for mail storage (an inherantly difficult data source to back up), I would say using RAID 0 would be a VERY bad idea, especially since you mention IMAP (eg mail stored on the server). If one drive fails every user you have loses their mail. I would think RAID 5 would be the better system to use in this instance. To follow you usage question a little. Lets assume you want to write 256k to the array. (We assume 64k block size for all arrays) In a RAID 0 situation the first drive would have 128k written and the other 2 would have 64k written to them. In RAID 1 (using 2 drives) each drive would have 256k written to them. In RAID 5, each drive would have 128k written. There would be 2 x 64k written to the 2 data drives, as well as another 128 on the parity drive (for this particular write). This is simplified but correct, from here we can see that RAID 1 would have the highest usage patterns per drive, next would be RAID5 and finally RAID 0. This is of course the price you pay for redundancy, you have to replicate the data somehow. RAID 5 obviously does the least replication while still keeping fault tolerance, although it does cost a small amount of computing power (not a problem if you have a RAID card) Hope this helps Dave At 00:09 20/03/2002 -0500, Thedore Knab wrote: >Is RAID 0 that risky anymore for data storage (IMAP mail files) ? > >I figure that under normal wear and tear a drive should last about 5 years. > >Does this sound right ? > >I have 3 IBM SCSI 18GB drives. > >With RAID 0, I get 51.5GB of storage space. >With RAID 5, I only get 37 GB of space with 20% wasted overhead. > >RAID 0 and RAID 1 are less work for the disk volume than RAID 5. > >So in an ideal world, volumes with RAID 0 or RAID 1 will last longer than >volumes in RAID 5. > >Thus, it would be less risk to use RAID 0 or better RAID 1 than RAID 5. > >- >Ted Knab > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is mysql 3.2x stable enough for HA requirement?
Hi Patrick MySQL replication is only one way in 3.2x so all writes have to be sent to the master server, but the reads can be done from the slaves. If you loose a slave then no big deal round robin DNS alone should take care of that with very little impact, but if you loose the master then you can't perform any writes until it's back up and running. If you can't live with the risk of data loss then question 2 is really irrelevent, and so if most of question 3. InnoDB is the only transaction capable DB format MySQL supports so even if it is slower, what choice do you have? The only question left is: Is it reliable enough for a production environment? Usually when faced with that question I use PostgreSQL. Dave At 14:23 1/04/2002 +0800, Patrick Hsieh wrote: >Hello, > >I am planing to have some woody with mysql-server running on a >mission-critical environment. My criteria is: > > >1. HA requirement: >By using mysql built-in replication, I'd like to have a load-balancing >and fail-over mysql clusters > >2. minimal data loss risk >How much can mysql 3.2x guarentee the minimization of data loss? > >3. InnoDB and MyISAM impact on performance and management? >Since we need transaction, InnoDB is the only choice. Is there any >performance or management impact between InnoDB and MyISAM? >Is InnoDB reliable enough for productive environment? > >Any experience highly appreciated. > > > >-- >Patrick Hsieh <[EMAIL PROTECTED]> > >GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how to design mysql clusters with 30,000 clients?
At 16:02 22/05/2002 +0800, Patrick Hsieh wrote: >Hello list, > >I am expecting to have 30,000 http clients visting my website at the >same time. To meet the HA requirement, we use dual firewall, dual >Layer-4 switch and multiple web servers in the backend. My problem is, >if we use the user-tracking system with apache, php and mysql, it will >surely brings a huge amount of database traffic. How can I balance mysql >load among multiple mysql server yet assure the data consistency among >them? My idea is: > >1. use 3 or more mysql servers for write/update and more than 5 mysql >servers for read-only. Native mysql replication is applied among them. >In the mysql write servers, use 1 way replication like A->B->C->A to >keep the data consistency. But I am afraid the loss of data, since we >can't take the risk on it, especially when we are relying our billing >system on it. This will not work. MySQL replication does not work like that. With MySQL replication you have one master and all others replicate from it. It is also the only server that can write to the DB. Your options for following this route would be to either use the experimantal 2 way replication support in the beta of MySQL4. Or use a different DB Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [interfaces + route] My new firewall doesn't forward packages
Do you have IP forwarding turned on? echo 1 > /proc/sys/net/ipv4/ip_forward At 15:46 4/06/2002 +0200, Davi Leal wrote: >Hi there, > >We have an ISP: email, web, ftp, dns and radius servers. I'm trying to >replace an old firewall (2.0.x kernel) with a new one (2.4.18 kernel). I am >using the 'mimic' strategy, that is to say, getting the same routing table, >... etc. > >*The problem*: The current "new firewall" configuration can not forward any >package. Note that iptables is stopped and all policy (INPUT, OUTPUT & >FORWARD) are set to ACCEPT. I think it is because of the routing table. > > > >I have eth0 and eth1. With the below /etc/network/interfaces' file I get two >lines in the router table. > >Kernel IP routing table >Destination Gateway Genmask Flags Metric RefUse >Iface >194.224.7.0 0.0.0.0 255.255.255.0 U 0 00 eth0 >194.224.7.0 0.0.0.0 255.255.255.0 U 0 00 eth1 > ># /etc/network/interfaces -- configuration file for ifup(8), ifdown(8) ># The loopback interface >auto lo >iface lo inet loopback ># The first network card - this entry was created during the Debian >installation ># (network, broadcast and gateway are optional) >auto eth0 >iface eth0 inet static > address 194.224.7.9 > netmask 255.255.255.0 > network 194.224.7.0 > broadcast 194.224.7.255 > gateway 194.224.7.1 >auto eth1 >iface eth1 inet static > address 194.224.7.10 > netmask 255.255.255.0 > network 194.224.7.0 > broadcast 194.224.7.255 > > > >Adding some routing rules to the previous 'interfaces' file (see attached >file), to mimic the old firewall routing table I get the below: > >Kernel IP routing table >Destination Gateway Genmask Flags Metric RefUse >Iface >10.128.114.20.0.0.0 255.255.255.255 UH0 00 eth1 >194.224.7.1 0.0.0.0 255.255.255.255 UH0 00 eth0 >10.128.114.40.0.0.0 255.255.255.255 UH0 00 eth1 >194.224.7.9 0.0.0.0 255.255.255.255 UH0 00 eth0 >194.224.7.900.0.0.0 255.255.255.255 UH0 00 eth0 >127.0.0.1 0.0.0.0 255.255.255.255 UH0 00 lo >194.224.7.0 0.0.0.0 255.255.255.128 U 0 00 eth1 >194.224.7.0 0.0.0.0 255.255.255.0 U 000 eth0 <--- >194.224.7.0 0.0.0.0 255.255.255.0 U 000 eth1 <--- >0.0.0.0 194.224.7.1 0.0.0.0 UG0 00 eth0 > > >In the old system I have the same but without these two lines below. Is this >the cause of the system not forwarding any package?. How could modigy the >'interfaces' file to remove these two lines?. See attached the >'/etc/network/interfaces '. > >194.224.7.0 0.0.0.0 255.255.255.0 U 0 00 eth0 >194.224.7.0 0.0.0.0 255.255.255.0 U 0 00 eth1 > > >Regards, >Davi Leal > > > > > >-- ># /etc/network/interfaces -- configuration file for ifup(8), ifdown(8) > ># The loopback interface >auto lo >iface lo inet loopback >up route add 127.0.0.1 dev lo > ># The first network card - this entry was created during the Debian >installation ># (network, broadcast and gateway are optional) > > ># eth0 goes to outside (Internet) >auto eth0 >iface eth0 inet static > address 194.224.7.9 > netmask 255.255.255.0 > network 194.224.7.0 > broadcast 194.224.7.255 > # Default route to Internet via eth0 > gateway 194.224.7.1 ># Route to go to the Cisco 194.224.7.1 via eth0 >up route add 194.224.7.1 dev eth0 ># Route to go to Tunels Server 194.224.7.90 via eth0 >up route add 194.224.7.90 dev eth0 ># Route to go to internal firewall network card >up route add 194.224.7.9 dev eth0 > > ># eth1 goes to the internal network >auto eth1 >iface eth1 inet static > address 194.224.7.10 > netmask 255.255.255.0 > network 194.224.7.0 > broadcast 194.224.7.255 > # gateway 194.224.7.1 ># Route to 194.224.7.0/128 via eth1 >up route add -net 194.224.7.0 netmask 255.255.255.128 dev eth1 ># Route to Radius server via eth1 >up route add 10.128.114.2 dev eth1 ># Route to 'Telefonica Infovia' via eth1 >up route add 10.128.114.4 dev eth1 > > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Spamassassin and Qmail
Hi All I've been trying to get Spamassassin working with Qmail for a few days with no luck. All I want it to do it tag the messages as spam so they can be filtered by the email clients easily. I've applied the qmail-queue patch and set the qmailqueue variable to point to the script I want it to run (contents below) --- #!/bin/sh exec /usr/bin/spamc /var/qmail/bin/qmail-inject -n --- From what I can understand from the spamassassin documentation (which is very brief, and has almost no info on setting it up server side), you need to interrupt the delivery queue and send it through spamassassin first, which is fine and my setup should be working. Spamd is running and the sample-spam files work fine, headers are added etc. I believe my problem is in the above script as everything else I can find says you need to run qmail-qfilter or a full blown virus scanner system, but I don't want to filter the messages, just add the headers, and I don't want to do email scanning in this box. I'm starting to think that qmail isn't checking the variable but there is no way to check (as far as I know), but I''ve definatly patched qmail properly and installed the modified binaries. Anyone have any ideas? Thanks Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: virtual FTP hosting?
At 18:20 14/07/2002 +0200, Thomas -Balu- Walter wrote: >+ B.C.J.O <[EMAIL PROTECTED]> [14.07.02 17:53]: > > On Sun, 14 Jul 2002, Thomas -Balu- Walter wrote: > > > > > I am wondering what FTPDs you are using to support the following: > > > > > > - non local users in (My)SQL-Database > > > - permit access to these users only to ~/ (chroot) > > > > > > So far the only one I've found is proftpd. Other suggestions? > > > > proftpd is the best ftpd available, but the absence of a 'host' component > > in the ftp specification drastically limits the 'virtuality' you can > > achieve with the service. you have to bind each virtual server to a new ip > > address/alias. > >Of course. I was not thinking of virtual domains but virtual users (aka >webspaces). ProFTPd was known to be the "best" by me ATM, because it was >the only one. But a first quick view on pureftpd makes me want to use >that instead. > >Of course the first view can only be a quick look at website (actual?, >structure?), features and documentation (complete?) and pureftpd looks >much nicer regarding these facts :) > >There are debian packages for it >(http://www.pureftpd.org/README.Debian), but I wonder why it's not >included into woody yet? :) > > Balu PureFTPd is very good (I use it here for the exact purpose above), plus it has been written with security in mind. There are deb's for it but they are VERY OLD. I floated the question of someone maintaining new packages for it and someone said they would be happy too. Unfortunatly I haven't heard anymore of it, I'm happily using the old packages still as there aren't any holes that I'm aware of in it :-) Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Help] ttyS1 is not working!!!!
If it's an internal modem you may/will have to disable COM2 in the BIOS At 17:13 24/07/2002 +0800, axacheng wrote: >Hello List : > >i have two modems that connect to two serial port (ttyS0,ttyS1) > >when i type "dmesg|grep tty" it show : >ttyS00 at 0x03f8 (irq = 4) is a >16550A 3 >ttyS01 at 0x02f8 (irq = 3) is a 16550A > >its seem ttyS0 and ttyS1 was probed by kernel and DID NOT conflict with >other device! > >when i type "cat /dev/ttyS0 " it have some data respond > >however, i type "cat /dev/ttyS1" it DID NOT ANY respond from ttyS1 > >i checked /proc/tty/driver/serial ,got some information as follow: >0: uart:16550A port:3F8 irq:4 baud:9600 tx:58092 rx:8328903 DSR|CD >1: uart:16550A port:2F8 irq:3 baud:9600 tx:0 rx:0 > >so, i am very sure ttyS1 is NOT working! > >i have been surveyed a perfect >URL:http://www.tldp.org/HOWTO/Modem-HOWTO-17.html > >but is not refer to this question.@_@ > >Anyone got ideas as to the nature/solution of this problem? > >-- >Trust & Unique ... >Axacheng's PGP Public Key http://www.navigation.idv.tw/pgpkey > > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: hard- or software-raid?
There is perhaps one extra thing hardware RAID will give you. When it comes to hardware failures a Hardware RAID card will almost always detect a failed (or failing) drive before any software based system would. In fact I've seen a RAID card detect a failed drive before the HDD manufacturers own Disk Diagnostic software, and they were happy to replace it based on my RAID cards diagnosis. Dave At 10:26 24/01/2003 +0100, Tinus Nijmeijers wrote: My question kind'a stands: If the only thing I ask of it is for the data to be safe (no speed or "no downtime!" issues) is there any reason to use hardware over software raid? I do not care if I have to take the server down for an hour (or 2, or 3) to replace a disk, be it a raid disk or boot disk. I have plenty of time, I could even run down to the store, get a new bootdisk, install debian and be up and running in 2 hours. no problem. ONLY thing that is important is that the data needs to be safe. if 2 of the raid-disks fail I need the data to be safe. (it is, of course, a budget thing. In case of fire I have tapes to get the data back, there's downtime involved there. So I do care about downtime. Just that with disks being as cheap as they are I was thinking that a software raid is s cheap to build that maybe that's worth the extra cash for the 3 extra disks that I need to buy. scenario 1: boot of scsi, data is on a 200G IDE, tape backup scenario 2: boot of scsi, data on 4x80G IDE (software-raid5), tape backup = + EURO 100 scenario 3: boot of scsi, data on 4x80G IDE (hardware-raid5), tape backup = + EURO 500 scenario 4: boot of scsi, data on 4x80G SCSI (hardware-raid5), tape backup = + EURO 2200 so for close to nothing (E 100) extra I get software raid. Is hardware raid "safer"? (I do not think it is, I'm just waiting for someone to tell me I'm being naive here) Tinus. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: hard- or software-raid?
This was with an Adaptec SCSI card. I'm not sure how it detected the error (may have been SMART related), but it told me there was an error so I swapped the drive and ran the diagnostic software over the drive. It came back clean so I reinstalled the drive and it failed again an hour or so later. At 21:28 24/01/2003 +0100, Russell Coker wrote: On Fri, 24 Jan 2003 21:04, Dave Watkins wrote: > There is perhaps one extra thing hardware RAID will give you. When it comes > to hardware failures a Hardware RAID card will almost always detect a > failed (or failing) drive before any software based system would. In fact > I've seen a RAID card detect a failed drive before the HDD manufacturers > own Disk Diagnostic software, and they were happy to replace it based on my > RAID cards diagnosis. How exactly does it do this? What brand of hardware RAID controller have you seen this with? IDE or SCSI? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: dhcp3 and next-server
I could be wrong but it is my understanding that the TFTP has to be the same machine as the DHCP server. Certainly that is the onbly way I've ever been able to get it working. At 21:14 1/02/2003 +0100, [EMAIL PROTECTED] wrote: hi all, Am using dhcp3-server and have noticed that the 'next-server' option doesnt seem to work when booting of 3c905tx-m cards with PXE or via their own mode with DHCP... it works however with BOOTP. have also tried 'server-name, and option tftp-server-name'... For some reason the machine keeps trying to access the TFTP server on the DHCP Server machine (also the gateway) instead of on the TFTP Server am I setting the wrong option? I >THINK< that this worked with dchpd v2 . Any ideas Thanks Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Qmail+Spamassasin
Try this http://www.magma.com.ni/~jorge/spamassassin.html If you have any grief let me know as I've got it running here from these instructions Dave At 13:16 25/02/2003 +0100, Jasper Metselaar wrote: Hi, Is there someone who's using Spamassasin together with Qmail (Gerrit Pape's packages)? I am trying to get this combination working, but didn't succeed yet.If someone knows a good how-to document I would be very grateful. Thanks in advance! - Jasper -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MASQUERADE problem
At 08:09 PM 10/22/01 +0200, you wrote: The line iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE should be using interface eth1 not ppp0 as you (probably) don't have a ppp interface. Also you should add this echo 1 > /proc/sys/net/ipv4/ip_forward to enable IP forwarding. The redirect line isn't needed to do MASQ, the above 2 lines alone should do it. Dave Hi all, I've installed a router with linux (a pc with an internet connection). I would like share this connection with the others pc on my network, but it doesn't work. COuld anyone help me ? This my config : eth0 (10.0.0.1) connected to internet eth1 (192.168.0.1) connected to the rest of my lan on my second pc (192.168.0.12), i've defined the default gateway as 192.168.0.1. On the router, I have done the following : iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE iptables -t nat -A PREROUTING -i eth0 -j REDIRECT When the pc tries to ping an address on the internet, there is a message 'network unreachable' What shall I do to make it work ? Best regards
Re: Survey .. how many domains do you host? (Now RAID)
Contrary to popular belief the Highpoint chipsets are only software RAID. The driver uses processor time to actually do the RAID work. The chip is just an IDE controller. Based on that even if it isn't supported at a RAID level you can still use the software RAID avaliable in linux as the kernel has had standard IDE drivers for the highpoint for a while now Hope this helps At 08:35 AM 11/3/01 +1100, you wrote: On the topic of RAID... does anyone know if the HighPoint RAID chipsets are supported YET? BSD has had support for this for ages... linux in the game yet? Sincerely, Jason - Original Message - From: "James Beam" <[EMAIL PROTECTED]> To: Sent: Saturday, November 03, 2001 6:07 AM Subject: Re: Survey .. how many domains do you host? > Wouldn't something like this totaly depend on the hardware resources and > general config/maintenance of the server? > > I can tell you that one of my servers running an older copy of qmail/vchkpw > is running over 800 domains with lots of steam to spare (each domain is > minimal traffic). Hardware is a PIII733 w256MB ram and 30GIG EIDE drives > (promise mirror) > > - Original Message - > From: "alexus" <[EMAIL PROTECTED]> > To: "Steve Fulton" <[EMAIL PROTECTED]>; > Sent: Friday, November 02, 2001 11:49 AM > Subject: Re: Survey .. how many domains do you host? > > > > um.. m'key.. > > > > you should've state that before so no one would get wrong thoughts (like i > > did) > > > > - Original Message - > > From: "Steve Fulton" <[EMAIL PROTECTED]> > > To: "alexus" <[EMAIL PROTECTED]>; > > Sent: Friday, November 02, 2001 1:58 AM > > Subject: Re: Survey .. how many domains do you host? > > > > > > > > and who are you to do such a survey? > > > > > > Down boy! Down! LOL! > > > > > > No need to snap, I'm doing this because a PROGRAM I AM WRITING has > > > VARIABLES that need to be defined to a certain array size, as they will > > hold > > > FQDN's. In order to make this program universally useful, I would like > to > > > know the maximum number of domains that has been (realistically) hosted > on > > > one server. > > > > > > K? > > > > > > -- Steve > > > > > > http://www.zentek-international.com/ > > > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Survey .. how many domains do you host? (Now RAID)
The advantage is in building the RAID array as such.. It's much easier to go into a BIOS on boot and say you want these three disks in a stripe array that to install the raidtools package and edit /etc/raidtab. If you check out the Promise cards the same applies.. There was discussion in the hardware scene a while ago about converting Promise Fasttrak card to a Supertrak card (I think the are the right names). Basically converting a PCI IDE card to a PCI IDE "RAID" card. It involved adding 1 resister and updating the BIOS on the card. That shows you how little processing the card does of RAID funtions. It's not too big of a deal as there was also an article on Anandtech a while back testing how much CPU time was used when software RAID was setup (http://www.anandtech.com/storage/showdoc.html?i=1491&p=1). Have a read.. will fill in some holes and explain it better than I can here. Just remember the HPT is comparable to the Promise Card Also another article you might find helpful http://www.anandtech.com/storage/showdoc.html?i=913&p=1 Hope this helps At 11:19 AM 11/3/01 +1100, you wrote: Hi Dave... Hum... if the Highpoint chipsets are merely IDE controllers... whats the advantage to using them over the regular plain vanilla generic IDE controller cards? Don't they offload ANY work from the processor at ALL? They have to have SOME sort of benefit... otherwise, why market them as RAID controllers? Sincerely, Jason ----- Original Message - From: "Dave Watkins" <[EMAIL PROTECTED]> To: Sent: Saturday, November 03, 2001 10:07 AM Subject: Re: Survey .. how many domains do you host? (Now RAID) > > > Contrary to popular belief the Highpoint chipsets are only software RAID. > The driver uses processor time to actually do the RAID work. The chip is > just an IDE controller. Based on that even if it isn't supported at a RAID > level you can still use the software RAID avaliable in linux as the kernel > has had standard IDE drivers for the highpoint for a while now > > Hope this helps > > At 08:35 AM 11/3/01 +1100, you wrote: > >On the topic of RAID... > > > >does anyone know if the HighPoint RAID chipsets are supported YET? > > > >BSD has had support for this for ages... linux in the game yet? > > > >Sincerely, > >Jason > > > >- Original Message - > >From: "James Beam" <[EMAIL PROTECTED]> > >To: > >Sent: Saturday, November 03, 2001 6:07 AM > >Subject: Re: Survey .. how many domains do you host? > > > > > > > Wouldn't something like this totaly depend on the hardware resources and > > > general config/maintenance of the server? > > > > > > I can tell you that one of my servers running an older copy of > >qmail/vchkpw > > > is running over 800 domains with lots of steam to spare (each domain is > > > minimal traffic). Hardware is a PIII733 w256MB ram and 30GIG EIDE drives > > > (promise mirror) > > > > > > - Original Message - > > > From: "alexus" <[EMAIL PROTECTED]> > > > To: "Steve Fulton" <[EMAIL PROTECTED]>; > > > Sent: Friday, November 02, 2001 11:49 AM > > > Subject: Re: Survey .. how many domains do you host? > > > > > > > > > > um.. m'key.. > > > > > > > > you should've state that before so no one would get wrong thoughts > >(like i > > > > did) > > > > > > > > - Original Message - > > > > From: "Steve Fulton" <[EMAIL PROTECTED]> > > > > To: "alexus" <[EMAIL PROTECTED]>; > > > > Sent: Friday, November 02, 2001 1:58 AM > > > > Subject: Re: Survey .. how many domains do you host? > > > > > > > > > > > > > > and who are you to do such a survey? > > > > > > > > > > Down boy! Down! LOL! > > > > > > > > > > No need to snap, I'm doing this because a PROGRAM I AM WRITING has > > > > > VARIABLES that need to be defined to a certain array size, as they > >will > > > > hold > > > > > FQDN's. In order to make this program universally useful, I would > >like > > > to > > > > > know the maximum number of domains that has been (realistically) > >hosted > > > on > > > > > one server. > > > > > > > > > > K? > > > > > > > > > > -- Steve > > > > > > > > > > http://www.zentek-international.com/ > > > > > > > > > > > > > > > > > > > >-- > >To UNSUBSCRIBE, email to [EMAIL PROTECTED] > >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: RAID & Hard disk performance
Not to start a holy war, but there are real reasons to use SCSI. The big ones are Much larger MTBF, faster access times due to higher spindle speeds, better bus management (eg 2 drives can perform tasks at once unlike IDE), Hot Swapable (This is HUGE) and more cache on the drive. I'll stop now before I start that war :-) Dave At 11:20 AM 11/4/01 +1100, you wrote: > There's a number of guides that tell you about hdparm and what DMA is, but if > you already know that stuff then there's little good documentation. "Oh bum." :) > Then on the rare occasions that I do meet people who know this stuff > reasonably well they seem to spend all their time trying to convince me that > SCSI is better than IDE (regardless of benchmark results). :( Heh, there's a religious war waiting to happen. > > [1] http://people.redhat.com/alikins/system_tuning.html I've just found that iostat (in unstable's sysstat package) supports extended I/O properties in /proc if you have sct's I/O monitoring patches. Unfortunately, the last one on his ftp site is for 2.3.99-preBlah. I sent an email to lkml last night to see if there's a newer patch - I'll follow up here if so. Thanks Russell, - Jeff -- Wars end, love lasts. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: RAID & Hard disk performance
DOA should be a non issue from a reputable supplier. I know we test all our drives before shipping any of our machines. A few things you're forgetting is that traditionally SCSI drivers run 24x7 until they fail. IDE drives run for 8 hours a day, 5 days a week. Also there are a lot of lower end servers out there with insufficient cooling, and hard drives are probably the first thing this will significantly damage. Dave At 12:46 PM 11/6/01 -0700, you wrote: That is kind of funny, in my experience I have found that SCSI drives have a much higher death rate than IDE drives, by far. I just finished a project of installing 50+ servers, some with RAID configurations, some without, all using SCSI drives. Five were dead upon arrival and will need to be exchanged with the vendor. Two more died a short time after installation. I expect more deaths, which is why critical systems are using RAID. This mirrors my other experiences with SCSI as well. The drives just seem to die more often -- not in huge numbers, just a few at a time. A few months back on another project we bought about 30 IBM IDE drives for office members, taking them off of low capacity SCSI drives. All are okay, no deaths, no loss of data after about a year. This also mirrors my previous experiences with IDE drives. They seem to be more rugged. Western Digital, and older Maxtor make up the majority of my IDE death experiences. My only reasoning for this is the higher spindle speeds and the push for speed on SCSI drives and the lower quantities produced versus IDE. That might go against logic, but it is what I have experienced. # Jesse Molina lanner, Snow # Network Engineer Maximum Charisma Studios Inc. # [EMAIL PROTECTED]1.303.432.0286 # end of sig > -Original Message- > From: Dave Watkins [mailto:[EMAIL PROTECTED] > Sent: Monday, November 05, 2001 11:27 PM > To: debian-isp@lists.debian.org > Subject: Re: RAID & Hard disk performance > > > Not to start a holy war, but there are real reasons to use SCSI. > > The big ones are > > Much larger MTBF, faster access times due to higher spindle > speeds, better > bus management (eg 2 drives can perform tasks at once unlike > IDE), Hot > Swapable (This is HUGE) and more cache on the drive. > > I'll stop now before I start that war :-) > > Dave > > At 11:20 AM 11/4/01 +1100, you wrote: > > > > > > > There's a number of guides that tell you about hdparm and > what DMA is, > > but if > > > you already know that stuff then there's little good > documentation. > > > >"Oh bum." :) > > > > > Then on the rare occasions that I do meet people who know > this stuff > > > reasonably well they seem to spend all their time trying > to convince me > > that > > > SCSI is better than IDE (regardless of benchmark results). :( > > > >Heh, there's a religious war waiting to happen. > > > > > > [1] http://people.redhat.com/alikins/system_tuning.html > > > >I've just found that iostat (in unstable's sysstat package) supports > >extended I/O properties in /proc if you have sct's I/O > monitoring patches. > >Unfortunately, the last one on his ftp site is for > 2.3.99-preBlah. I sent an > >email to lkml last night to see if there's a newer patch - > I'll follow up > >here if so. > > > >Thanks Russell, > > > >- Jeff > > > >-- > >Wars end, love lasts. > > > > > >-- > >To UNSUBSCRIBE, email to [EMAIL PROTECTED] > >with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: RAID & Hard disk performance
God.. this is turning into a war... I think this will be my last post on the subject When running RAID MTBF is not such a big deal... Unless you have a several racks of servers in 2U cases... 40-50 servers.. Would you rather drop 1 drive every month or 1 drive every year?? In a single machine this isn't too much of a problem. But as numbers increase you spend more and more time in the server room replacing drive and rebuilding arrays. At 03:09 PM 11/6/01 +0100, you wrote: On Tue, 6 Nov 2001 07:26, Dave Watkins wrote: > Not to start a holy war, but there are real reasons to use SCSI. > > The big ones are > > Much larger MTBF, Mean Time Between Failures is not such a big deal when you run RAID. As long as you don't have two drives fail at the same time. Cheaper IDE disks make RAID-10 more viable, RAID-10 allows two disks to fail at the same time as long as they aren't a matched pair. So a RAID-10 of IDE disks should give you more safety than a RAID-5 of SCSI. > faster access times due to higher spindle speeds, better When doing some tests on a Mylex DAC 960 controller and a Dual P3-800 machine I found speed severely limited by the DAC. The performance on bulk IO for the 10K rpm Ultra2 SCSI drives was much less than that of ATA-66 drives. That was a problem with your controller then. Not the technology and bus system. For example head over to Seagate's web site http://www.seagate.com/support/kb/presales/performance.html http://www.seagate.com/docs/pdf/training/SG_SCSI.pdf You also mention on your site that a typical SCSI drive can only sustain 30MB/sec so cannot fill a SCSI bus running at 160MB/sec. The difference between SCSI and IDE is that SCSI can have multiple transfers at once. Hence a 6 drive system could easily fill the bus. In fact with too many more drives/channels you start filling the PCI bus and have to start looking at PCI 64/66. IDE on the other hand cannot have multiple transfers at once. You'll also find that SCSI and IDE sizes are not identical. SCSI drive have approx 9GB per platter and IDE about 10GB. You can find IDE drives in 20.4, 30.6 etc etc. SCSI on the other hand come in 18GB, 36GB etc etc. > bus management (eg 2 drives can perform tasks at once unlike IDE), Hot See http://www.coker.com.au/~russell/hardware/46g.png for a graph of performance of an ATA disk on it's own, two ATA disks running on separate busses, and two disks on the same bus. From that graph I conclude that most of the performance hit of running two such drives comes from the motherboard bus performance not from an IDE cable. That graph was done with an old kernel (about 2.4.1), I'll have to re-do it with the latest results from the latest kernel. Anyway motherboards with 4 IDE buses on the motherboard are common now, most servers don't have more than 4 drives. I think we are talking about different ends of the spectrum. You are talking about low end systems with 4 drives. I'm talking about larger systems with 5 or more drives. As an example a 2 drive mirror array for the OS and a 3 drive RAID 5 array for data etc, or even a 0+1 array with 4 or 6 drives > Swapable (This is HUGE) and more cache on the drive. NO! SCSI hard drives are no more swappable than ATA drives! If you unplug an active SCSI bus you run the same risks of hardware damage as you do for ATA! Hardware support for hot-swap is more commonly available for SCSI drives than for ATA, but it is very pricey. Actually Hotswap backplanes are not actually that much more expensive if you plan on it. If you are talking about a $20,000 server, the HS backplane only adds $300 to that. SCA drive are about the same price
Re: rogue Chinese crawler
I'm sure it's been said before but why not just configure iptables to drop the packets from 139.175.250.23? Then it CAN'T connect At 07:34 PM 11/24/01 +, Martin WHEELER wrote: On Sat, 24 Nov 2001, Hereward Cooper wrote: > > Despite what I put in any robots.txt, this one disregards all rules and > > just jams up my system, downloading every damn' thing in sight. > > Mails to the owners are totally disregarded. > > Have you actually seen: > http://www.openfind.com.tw/robot.html > > It talks about the robot and how to get it to stop accessing your site. Hereward -- did you read my first paragraph? (But to answer your question -- yes -- _of course_ I've actually seen the robot.html page.) The site tacitly admits that people are having difficulty getting rid of the 'bots -- and DESPITE applying every fix so far suggested to me, this is from tonight's access.log: robot12.openfind.com - - [24/Nov/2001:18:38:27 +] "GET /familycentury/twins/ HTTP/1.0" 200 3054 "-" "Openfind data gatherer, Openbot/3.0+([EMAIL PROTECTED];+http://www.openfind.com.tw/robot.html)" OK? (Mind you, I may slowly be working my way through killing off 16 different 'bots, but I'm still leery.) I seem to have reduced it to 5 hits per attack -- instead of 45 minutes continuous lockup, as experienced yesterday -- but it seems to be ignoring all attempts to keep it out of my system. From off-list correspondence I know I'm not the only victim, either. Degree of annoyance varies from site to site (possibly dependent on overall site setup). Martin -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Qmail and Stunnel
Hi All I've just setup qmail to run over stunnel for POP on port 995. Below is the command I use to run it #!/bin/sh exec /usr/local/bin/softlimit -m 300 /usr/local/bin/tcpserver -DRHv -l 0 0 995 /usr/sbin/stunnel -l /var/qmail/bin/qmail-popup /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir 2>&1 The first time I checked with Outlook Express I was prompted with the certificate warning etc. I accepted that and now get this error after having the login/password windows popup several times (because of the failure) There was a problem logging onto your mail server. Your Password was rejected. Account: 'dave', Server: '192.168.20.251', Protocol: POP3, Server Response: '-ERR this user has no $HOME/Maildir', Port: 995, Secure(SSL): Yes, Server Error: 0x800CCC90, Error Number: 0x800CCC92 My concern is the no $HOME/Maildir, but I can't understand why it's not working. Standard logins to port 110 are fine. Basically all I did was copy my run script from the normal POP service and change the port tcpserver listens on and add the stunnel command. Thanks Dave
Re: blocking ports
Firstly look through the services you run and see if they can be bound to a single interface only. If they run from inetd you can replace it with xinetd to gain this functionality. Secondly (and this may or may not work I've never actually tried it), you could try rejecting the packets rather than dropping them. That should return a port closed type message to nmap so it would be unable to tell that port it filtered. At 08:34 10/01/2002 -0700, David Bishop wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm running a server that's hot to the net, and running some insecure services (by necessity), like nfs. Of course, I used iptables to block all those ports, using nmap and netstat to double check all my open ports. However, what nmap reports back is "filtered" for those ports. I would prefer if I could somehow make it so that they are "closed" to the outside world, so that random j. hacker doesn't know that I'm running that service at all. Is there some way to do that, or do I just live with "filtered"? TIA and HAND! - -- D.A.Bishop -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8PbSkEHLN/FXAbC0RAujUAJ0V5VD9ct2NbznFwtg4+j6D/rtmzACdEFDy EUlPKvw//odhMmweQ5Yx5dw= =3oEF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: RAID Suggestion for webserver
Hi All RAID 0 gives the best read and write performace as the data is striped across the drives. RAID 1 gives the same write performace as a single drive but read performance is faster than a single drive (as there are always 2 drives that the data can be read from, hence the controller can choose the drive not being accessed / with it's head closest to the needed data. RAID5 give read performance a boost for the same reason as RAID0, but write performance is only slightly faster than a single drive as the array must 'stop' while the controller calculates the parity bit and writes that to a drive. Overall the chances of 2 drives failing at the same time a very small and if they do you look to your backup. Also running all your services on one box will be fine for a small setup, but if you have big plans you will quickly run our of processing power (especially with a database on the box). It would seem unlikley that the HDD transfer speed will be the bottleneck. At 02:53 14/02/2002 +0800, Jason Lim wrote: > It shouldn't be any worse write performance than RAID-5, and read performance > should be good! > With RAID 5, isn't the data distributed (along with parity data) to the various disks, while with RAID 1 the whole data is written to all disks? I'm guessing that each disk writing only part of the data to each disk would lead to faster performance (as long as the controller can handle sending the data to all the disks that fast). Read performance... if it is RAID 1 i suppose it would depend on how good the read algorithm is? Worst case it would be the same as a single disk. But if it is RAID 5, wouldn't it only need to read a bit of the data from each disk (to build up the complete data)? (I may be wrong with the above information, i'm no raid expert). > Instead of having one server for 50 accounts which does everything, why not > have different servers for different services? Then you could have three web > servers for several thousand domains instead of getting a new server for > every 50... > I could see a lot of headache doing it that way, including user authentication and how to tie all the services together in a nice neat package that is easy to manage/maintain. Virtually all the publically available solutions (Plesk, Hostplus, etc.) do it on a per-server basis, and that would include Cobalt's Raqs. I suppose if we have many thousands of accounts it would be more economical to do it your way (seperate mail server, ftp server, auth server, www server, database server, etc. each specialized in both software and hardware) but we don't have THAT many customers ;-) Mostly we put lower-end clients on servers with 100-200 or so clients, with higher end clients on servers with 50 or less. Works out pretty well that way, as you can then artificially "manage" the performance you give clients (of course, this is not direct control, but it achieves the same goal). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how to design mysql clusters with 30,000 clients?
At 16:02 22/05/2002 +0800, Patrick Hsieh wrote: Hello list, I am expecting to have 30,000 http clients visting my website at the same time. To meet the HA requirement, we use dual firewall, dual Layer-4 switch and multiple web servers in the backend. My problem is, if we use the user-tracking system with apache, php and mysql, it will surely brings a huge amount of database traffic. How can I balance mysql load among multiple mysql server yet assure the data consistency among them? My idea is: 1. use 3 or more mysql servers for write/update and more than 5 mysql servers for read-only. Native mysql replication is applied among them. In the mysql write servers, use 1 way replication like A->B->C->A to keep the data consistency. But I am afraid the loss of data, since we can't take the risk on it, especially when we are relying our billing system on it. This will not work. MySQL replication does not work like that. With MySQL replication you have one master and all others replicate from it. It is also the only server that can write to the DB. Your options for following this route would be to either use the experimantal 2 way replication support in the beta of MySQL4. Or use a different DB Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [interfaces + route] My new firewall doesn't forward packages
Do you have IP forwarding turned on? echo 1 > /proc/sys/net/ipv4/ip_forward At 15:46 4/06/2002 +0200, Davi Leal wrote: Hi there, We have an ISP: email, web, ftp, dns and radius servers. I'm trying to replace an old firewall (2.0.x kernel) with a new one (2.4.18 kernel). I am using the 'mimic' strategy, that is to say, getting the same routing table, ... etc. *The problem*: The current "new firewall" configuration can not forward any package. Note that iptables is stopped and all policy (INPUT, OUTPUT & FORWARD) are set to ACCEPT. I think it is because of the routing table. I have eth0 and eth1. With the below /etc/network/interfaces' file I get two lines in the router table. Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 194.224.7.0 0.0.0.0 255.255.255.0 U 0 00 eth0 194.224.7.0 0.0.0.0 255.255.255.0 U 0 00 eth1 # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8) # The loopback interface auto lo iface lo inet loopback # The first network card - this entry was created during the Debian installation # (network, broadcast and gateway are optional) auto eth0 iface eth0 inet static address 194.224.7.9 netmask 255.255.255.0 network 194.224.7.0 broadcast 194.224.7.255 gateway 194.224.7.1 auto eth1 iface eth1 inet static address 194.224.7.10 netmask 255.255.255.0 network 194.224.7.0 broadcast 194.224.7.255 Adding some routing rules to the previous 'interfaces' file (see attached file), to mimic the old firewall routing table I get the below: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 10.128.114.20.0.0.0 255.255.255.255 UH0 00 eth1 194.224.7.1 0.0.0.0 255.255.255.255 UH0 00 eth0 10.128.114.40.0.0.0 255.255.255.255 UH0 00 eth1 194.224.7.9 0.0.0.0 255.255.255.255 UH0 00 eth0 194.224.7.900.0.0.0 255.255.255.255 UH0 00 eth0 127.0.0.1 0.0.0.0 255.255.255.255 UH0 00 lo 194.224.7.0 0.0.0.0 255.255.255.128 U 0 00 eth1 194.224.7.0 0.0.0.0 255.255.255.0 U 000 eth0 <--- 194.224.7.0 0.0.0.0 255.255.255.0 U 000 eth1 <--- 0.0.0.0 194.224.7.1 0.0.0.0 UG0 00 eth0 In the old system I have the same but without these two lines below. Is this the cause of the system not forwarding any package?. How could modigy the 'interfaces' file to remove these two lines?. See attached the '/etc/network/interfaces '. 194.224.7.0 0.0.0.0 255.255.255.0 U 0 00 eth0 194.224.7.0 0.0.0.0 255.255.255.0 U 0 00 eth1 Regards, Davi Leal -- # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8) # The loopback interface auto lo iface lo inet loopback up route add 127.0.0.1 dev lo # The first network card - this entry was created during the Debian installation # (network, broadcast and gateway are optional) # eth0 goes to outside (Internet) auto eth0 iface eth0 inet static address 194.224.7.9 netmask 255.255.255.0 network 194.224.7.0 broadcast 194.224.7.255 # Default route to Internet via eth0 gateway 194.224.7.1 # Route to go to the Cisco 194.224.7.1 via eth0 up route add 194.224.7.1 dev eth0 # Route to go to Tunels Server 194.224.7.90 via eth0 up route add 194.224.7.90 dev eth0 # Route to go to internal firewall network card up route add 194.224.7.9 dev eth0 # eth1 goes to the internal network auto eth1 iface eth1 inet static address 194.224.7.10 netmask 255.255.255.0 network 194.224.7.0 broadcast 194.224.7.255 # gateway 194.224.7.1 # Route to 194.224.7.0/128 via eth1 up route add -net 194.224.7.0 netmask 255.255.255.128 dev eth1 # Route to Radius server via eth1 up route add 10.128.114.2 dev eth1 # Route to 'Telefonica Infovia' via eth1 up route add 10.128.114.4 dev eth1 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Spamassassin and Qmail
Hi All I've been trying to get Spamassassin working with Qmail for a few days with no luck. All I want it to do it tag the messages as spam so they can be filtered by the email clients easily. I've applied the qmail-queue patch and set the qmailqueue variable to point to the script I want it to run (contents below) --- #!/bin/sh exec /usr/bin/spamc /var/qmail/bin/qmail-inject -n --- From what I can understand from the spamassassin documentation (which is very brief, and has almost no info on setting it up server side), you need to interrupt the delivery queue and send it through spamassassin first, which is fine and my setup should be working. Spamd is running and the sample-spam files work fine, headers are added etc. I believe my problem is in the above script as everything else I can find says you need to run qmail-qfilter or a full blown virus scanner system, but I don't want to filter the messages, just add the headers, and I don't want to do email scanning in this box. I'm starting to think that qmail isn't checking the variable but there is no way to check (as far as I know), but I''ve definatly patched qmail properly and installed the modified binaries. Anyone have any ideas? Thanks Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: virtual FTP hosting?
At 18:20 14/07/2002 +0200, Thomas -Balu- Walter wrote: + B.C.J.O <[EMAIL PROTECTED]> [14.07.02 17:53]: > On Sun, 14 Jul 2002, Thomas -Balu- Walter wrote: > > > I am wondering what FTPDs you are using to support the following: > > > > - non local users in (My)SQL-Database > > - permit access to these users only to ~/ (chroot) > > > > So far the only one I've found is proftpd. Other suggestions? > > proftpd is the best ftpd available, but the absence of a 'host' component > in the ftp specification drastically limits the 'virtuality' you can > achieve with the service. you have to bind each virtual server to a new ip > address/alias. Of course. I was not thinking of virtual domains but virtual users (aka webspaces). ProFTPd was known to be the "best" by me ATM, because it was the only one. But a first quick view on pureftpd makes me want to use that instead. Of course the first view can only be a quick look at website (actual?, structure?), features and documentation (complete?) and pureftpd looks much nicer regarding these facts :) There are debian packages for it (http://www.pureftpd.org/README.Debian), but I wonder why it's not included into woody yet? :) Balu PureFTPd is very good (I use it here for the exact purpose above), plus it has been written with security in mind. There are deb's for it but they are VERY OLD. I floated the question of someone maintaining new packages for it and someone said they would be happy too. Unfortunatly I haven't heard anymore of it, I'm happily using the old packages still as there aren't any holes that I'm aware of in it :-) Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Help] ttyS1 is not working!!!!
If it's an internal modem you may/will have to disable COM2 in the BIOS At 17:13 24/07/2002 +0800, axacheng wrote: Hello List : i have two modems that connect to two serial port (ttyS0,ttyS1) when i type "dmesg|grep tty" it show : ttyS00 at 0x03f8 (irq = 4) is a 16550A 3 ttyS01 at 0x02f8 (irq = 3) is a 16550A its seem ttyS0 and ttyS1 was probed by kernel and DID NOT conflict with other device! when i type "cat /dev/ttyS0 " it have some data respond however, i type "cat /dev/ttyS1" it DID NOT ANY respond from ttyS1 i checked /proc/tty/driver/serial ,got some information as follow: 0: uart:16550A port:3F8 irq:4 baud:9600 tx:58092 rx:8328903 DSR|CD 1: uart:16550A port:2F8 irq:3 baud:9600 tx:0 rx:0 so, i am very sure ttyS1 is NOT working! i have been surveyed a perfect URL:http://www.tldp.org/HOWTO/Modem-HOWTO-17.html but is not refer to this [EMAIL PROTECTED]@ Anyone got ideas as to the nature/solution of this problem? -- Trust & Unique ... Axacheng's PGP Public Key http://www.navigation.idv.tw/pgpkey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Proftpd+SSL/TLS!!!
Hi, Sorry if this has been said. I haven't been following the thread, but why not setup stunnel and run proftpd through that? I've done it here for mail and it works great (even with qmail and daemontools), so I see no reason why you couldn't do the same for FTP Dave At 14:32 1/08/2002 +0200, Jones Down wrote: Hi, > Does anyone knows Proftpd+SSL/TLS was official idea from Proftpd It´s something I absolutely don´t understand: the developers of proftpd are not supporting this, don´t ask me why, it´s a real problem... unfortunately I am no C-Coder, so I would do it myself...*sigh* ... proftpd has really nice features (mysql lookup e.g.), but NO SSL, and theres no ssl on the roadmap. > Anyone got ideas as to the nature/solution of this problem? ;-) Well you could do a apt-get install ftpd-ssl but then you do not have all that nice advanced features of proftpd, afaik no mysql-backend. Also there is one bsd-ftp that can be found here: http://bsdftpd-ssl.sc.ru/ it uses pam for authentication, so somehow also keeping your users in a mysql-db should be possible, but I didn´t get it to work. My alternative is to use ssh, there is a really beatiful win-prog to use scp, looks like mc, can be found here: http://winscp.vse.cz/eng/ but then again you should setup a chroot environment, because it´s still not possible to restrict access to a directory with ssh as tight as with some ftp-servers, because ssh needs some libraries and stuff, so there will be always more then just one upload-dir to see for the users. Also don´t forget, that with ssh you users have a full shell account, so building that jail should be done with real care. In most cases it´s more than you want to give them - what again makes me cry about missing ssl in proftpd :( generally I also really would be happy, if one of the "big boys" could tell us how to do it and which tools to setup, to get a secure ftpd. A nice solution would be to have mysql-backed virtual users for ease of administration. Have a nice day, Jones -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: multiple webcams via one linux box
At 18:00 23/08/2002 +0200, Nicolas Bougues wrote: On Fri, Aug 23, 2002 at 10:06:40AM -0500, Bernie Berg wrote: > Hi, I have a project that could potentialy have 85 webcams. The easy > thing to do would be to use an Axis network camera and just link to its > own webserver from my linux web server (or whatever). But these run > about 300 bucks, that would be about 25 grand for 85 cams. X10 on the > other hand (I hate their website, it looks like to is from 1994), has > much cheaper cameras, and they are wireless. You can get a usb adabpter > to input them into a computer. Ummm, anyone have luck linking 85 usb > webcams into one linux box? Anyother sugestions? > USB can't have more than 63 devices per bus. FYI 127 is the max for USB, 63 is for Firewire
Re: Qpopper
Hi Sonny Perhaps it's a DNS issue? You will get LONG delays when daemons can't do reverse lookups on the connecting addresses. Dave At 22:34 28/08/2002 -0500, Sonny Kupka wrote: Hello all. I'm new to Debian .. Switched over from Slackware after years of doing things the manual way figured I would try this for a while :) Anyways... I installed qpopper on my system using dselect.. Install went flawless but when you try to pop mail from the server the connection would just sit there.. I since switched to using solid-pop and I don't like that at all.. Getting tons of complaints about dup mails... If anyone has any ideas as to why qpopper wouldn't auth I'm all ears because I really would like to get back to using it. Just another note.. I compiled a version with my own configure settings like I would on Slackware.. that did the same thing.. I even tried taking the tcpd out of inetd.conf to make sure it wasn't an allow problem.. Only thing I haven't looked at is the pam stuff.. I not at all familiar with pam because Slackware never had it.. I will be reading up on that incase it might be messing with things.. Thanks for any pointers... --- Sonny -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Qmail+Spamassasin
Try this http://www.magma.com.ni/~jorge/spamassassin.html If you have any grief let me know as I've got it running here from these instructions Dave At 13:16 25/02/2003 +0100, Jasper Metselaar wrote: Hi, Is there someone who's using Spamassasin together with Qmail (Gerrit Pape's packages)? I am trying to get this combination working, but didn't succeed yet.If someone knows a good how-to document I would be very grateful. Thanks in advance! - Jasper -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: On SMP, getting: Message from watchdog: The system will be rebooted because of error -3!
Russell Coker wrote: On Mon, 8 Sep 2003 17:46, Jason Lim wrote: I had set the loadavg to such an absurd number, I never thought it could be that. It NEVER peaks that high on a single CPU (well... without HT SMP on). Is this normal? Do SMP systems tend to spike a lot higher than regular single CPU ones? Strange thing is... the previous 2Ghz CPU... never went that high... and now with a 2.8Ghz HyperThreading processing, the load average actually increases (or at least the spiking load average). Is this a trait of SMP? Adding more CPUs will not affect the load average if it's IO related. If it's CPU usage related then more CPU power should decrease the load average. Of course kernel bugs could be triggered by a different hardware configuration, but that's not a likely possibility at this time. I suggest checking for any cron jobs etc that might have caused high load. This is probably due to the HT nature of the CPU. For example if one thread is using a part of the CPU that isn't duplicated, and then a second thread on the "other" logical CPU also wants those resources, you could effectivly have %150 CPU load until the first thread finshes with those resources as the second thread will be waiting. Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spec-ing/dimensioning a server?
Hi Neale I would look at changing a few things here. Of course these depend on the budget avaliable and the uptime required from the server. I would look at getting a different CPU, specifically an 800MHz FSB CPU. The 2.4C should be the same price if not cheaper and will give you the same or better performance (this also takes advantage of the memory you are installing as the CPU and memory have to run in sync on Intel chipset boards). You may also want to look at an 875 chipset motherboard as this will give you the capability to run ECC memory and I would recommend it for a server. Again the price defference shouldn't be too much, although the ECC mem may cost a bit more in my opinion it would be worth it for the piece of mind. This may be counter acted if you can get a board with on-board video as you can then do away with the video card (something like this http://www.intel.com/design/servers/s875wp1-e/) Since HDD space doesn't seem to be a concern it may be worth looking at the Raptor series of drives from WD. They are S-ATA drives which may be a problem with the RAID card you're using and they will cost you more, but they give you 10,000 RPM drives built for enterprise class use (5 year warranty and high MTBF) Finally worth considering is redundant power if this box needs a high uptime, although this is usually a sizable jump in price and if you can live with a little downtime then it's probably not worth the price. Especially if you can connect the machine to an On-line UPS. Hmm this became longer than I expected :-) Hope it helps Dave Neale Banks wrote: Hi all, As part of a project I'm involved in, we need to deploy a new server (ia32, FWIW: running Debian "sarge") to run a MySQL database (SME-sized, moderate complexity but not particularly large) + Java Application. I figure that upgradability probably isn't a big issue here, as the obvious path is to deploy a second machine and separate the SQL and java onto separate hosts. A spec being considered includes: DFI PS83BL Intel 865 Chipset Hyper Threading Main Board (H/Threading, 800MHz FSB, AGP 8x, DDR400, 6-channel audio, S/PDIF-in/out, SATA, LAN, USB 2.0) Pentium 4 2.66GHz (533Mhz) CPU 2 x 512MB DDR400 Memory 3Ware 7506-4LP ATA 133 RAID Controller 2 x 40GB WD JB-series IDE HDD (7200RPM, 8MB Cache) (disks to run mirrored) Geoforce2 MX400 64MB DDR Graphics Card 52x IDE CDROM (usual bits: FDD, k/board etc) Anyone care to comment at to the appropriateness of the above spec (i.e. strengths, weaknesses, over/under-kill etc), in particular in terms of value-for-money? Thanks, Neale. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spec-ing/dimensioning a server?
Mark Ferlatte wrote: Nate Duehr said on Tue, Nov 25, 2003 at 09:13:48AM -0700: Agreed on the "as fast a CPU as you can afford" and the 10K RPM disk comments. However I'm not a huge fan of SATA yet. There's been quite a bit of discussion on various mailing lists of people having trouble with them. I'm old-school and would prefer the more expensive SCSI SCA-connector'ed disks in most of the servers I have spec'ed. Which lists? I've had a hell of a time with SCSI SCA connected disks; a single bad SCSI disk can wipe out the whole chain, whereas with SATA that seems to be less likely. I'd be interested in hearing about SATA ickyness, though; from what I've seen, it seems like a good thing. SCA connected disks run through a backplane which should prevent this happening. I would have also suggested SCSI but it seemed price was an issue and this would have certainly been expensive when coupled with a RAID card I tend to lean toward motherboards with a real serial port on them also, as you can configure a serial console to come up on one of them and use that from a laptop or what-have-you when you go to do maintenance instead of lugging a monitor/keyboard over to it. But they're getting harder to find. Not if you get a real server board; the newer Intel based ones have BIOS access via the serial console. :) Actually they also have BIOS access via LAN. :-) Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spec-ing/dimensioning a server?
Mark Ferlatte wrote: Dave Watkins said on Wed, Nov 26, 2003 at 06:38:39PM +1300: Mark Ferlatte wrote: Which lists? I've had a hell of a time with SCSI SCA connected disks; a single bad SCSI disk can wipe out the whole chain, whereas with SATA that seems to be less likely. I'd be interested in hearing about SATA ickyness, though; from what I've seen, it seems like a good thing. SCA connected disks run through a backplane which should prevent this happening. I would have also suggested SCSI but it seemed price was an issue and this would have certainly been expensive when coupled with a RAID card I can say from experience that this is not guaranteed. I've had an SCA system explode from inserting a faulty replacement disk just recently. It sucked. I am still curious to know of places where people talk about this sort of thing; though. At this point, SATA seems like the best option. If you've got them in an Intel Server Chassis try firmware updates to the HS backplane and perhaps RAID card Not if you get a real server board; the newer Intel based ones have BIOS access via the serial console. :) Actually they also have BIOS access via LAN. :-) Really? Mine don't, but that doesn't suprise me. How does it work? Depend on the board and the version of ISM (al 5.x.x version support it from memory) installed but it's a component in ISM. It's also worth mentioning that only the first LAN port can support it and if you have that teamed then it won't work. The only problem I've seen is that there is a noticable delay and if you're trying to get into the BIOS you need to be pressing F2 before you even see the screen come up but thats easy to work around :-) Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exim accepting mail from specific hosts
Configuring Exim to do this would seem like a bad idea, in that your machine then has to accept a connection to determine if you do in fact even want to accept the mail. Ideally you would get the MX record for your domain pointing to your providers mail server (with perhaps a backup MX pointing to yours. That way under normal conditions mail will be routed through your providers mail servers unless they are down, and if they are down it will be routed to you. This will probably require some configuration changes on your providers servers but nothing major (just a routing line in a config file). The other option would be to firewall off port 25 for inbound traffic unless it came from your providers mail server, although this is much less elegant Dave Adam Dawes wrote: Hi, I've implemented a spam service where a provider is filtering all my domain's mail before it hits my server. I want to lock down my mail server so it only accepts mail from those machines to prevent spammers from mailing directly to my host and doing directory harvests. What do I need to stick in my exim.conf to accept mail from just those hosts that will be processing my mail? thanks, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exim accepting mail from specific hosts
Adam Dawes wrote: Yes, that was part of the plan, to point my mx records to my provider. Therefore, any connections to my port 25 should be from only folks that are port scanning (sounds like a spammer to me). Think this is best done as a firewall issue or via David's host_reject option? thanks, Adam Dave Watkins wrote: Configuring Exim to do this would seem like a bad idea, in that your machine then has to accept a connection to determine if you do in fact even want to accept the mail. Ideally you would get the MX record for your domain pointing to your providers mail server (with perhaps a backup MX pointing to yours. That way under normal conditions mail will be routed through your providers mail servers unless they are down, and if they are down it will be routed to you. This will probably require some configuration changes on your providers servers but nothing major (just a routing line in a config file). The other option would be to firewall off port 25 for inbound traffic unless it came from your providers mail server, although this is much less elegant Dave Depends on what logging you want (or more precisly where you want it logged) and the load you can handle. Also perhaps how often and how many other connections you will want to allow (if any). If you want to log all the failed connections and don't want another log to go through to see who's trying to connect then obviously letting exim do it would be preferable, this is assuming your machine can handle the load of spawning exim processes for no real purpose other than logging but I don't think that would be a problem. This would also be better if you want to allow some server(s) to connect directly otherwise you will have to maintain firewall setup that will get more and more complicated as the number of allowed hosts increases. If you're not concerned about logging or are happy to log to another file, and you won't be recieving mail from anyone other than this single host then a firewall would probably be the better option. Dave Adam Dawes wrote: Hi, I've implemented a spam service where a provider is filtering all my domain's mail before it hits my server. I want to lock down my mail server so it only accepts mail from those machines to prevent spammers from mailing directly to my host and doing directory harvests. What do I need to stick in my exim.conf to accept mail from just those hosts that will be processing my mail? thanks, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ftp server
Robert Cates wrote: Hi, I'm hoping someone on this list can help me with an FTP server issue. I'm running a handful of Internet services on my ADSL line - DNS, Web, e-Mail, and FTP servers. All seem to be running fine, very fast as well, but the FTP server is very slow, e.g. first logging on is quite slow, and with every request to change directories takes unusually long. Also, the problem seems to occur only from the Internet, i.e. from outside my firewall - a Linksys Gateway/Router with Firewall. Is this an FTP server issue ( should I change my FTP server - WU-FTPD )? If not server specific, maybe in the configuration? Or more to do with my firewall settings? I suspect I may need to move the machine to the DMZ port, but before I do I was hoping somebody may have a better solution ( I don't know for sure if the DMZ will solve the problem, and I'd rather not use the DMZ ). Thank you very much in advance for your help! Robert It almost sounds like a reverse DNS issue although I would only expect that when the inital connection was made. Although in saying that FTP is an odd protocol at the best of times and it may be trying to get R-DNS info everytime a new command channel is opened. If your FTP server is using an internal DNS server make sure it is forwarding queries it can't answer onto another server that can. If the transfers to and from the FTP server are slow as well then it is obviously something else. You could also try disabling R-DNS lookups on the FTP server to see if that improves things Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Intel SRCU42X SCSI RAID contoller
Sebastiaan wrote: Hi, On Wed, 28 Jan 2004, Marcin Owsiany wrote: Hi! Forgive me the cross-post, but this is rather urgent for me :-/ Does anyone know if the Debian kernel in woody-proposed-updates (2.4.22) supports Intel SRCU42X SCSI RAID contoller? Intel's web page says that it is supported by Suse and RH, but they make a binary driver available for download (megaraid.o). The source is included, so probablu it the same as in stock kernel, but could anyone confirm this? Not sure. I can't find it in the official kernel 2.4.23 (www.kernel.org), or I am looking over it. What I can find is a driver with the same module name: CONFIG_SCSI_MEGARAID: This driver supports the AMI MegaRAID 418, 428, 438, 466, 762, 490, 467, 471 and 493 SCSI host adapters. This is the old and very heavily tested driver but lacks features like clustering. If you want to compile this driver as a module ( = code which can be inserted in and removed from the running kernel whenever you want), say M here and read Documentation/modules.txt. The module will be called megaraid.o. - Either this module is compatible with your mega raid, or suse and rh gave a very poor name. I have looked to the kernel patches, but I could not find information about CONFIG_SCSI_MEGARAID, so I assume it is disabled by default. If you don't need to boot from your controller, you can compile the module afterwards, otherwise a module isn't good enough and you should compile your custom kernel before installation. FYI This card is HEAVILY based or the LSI reference card that Megaraid uses so there is a good chance the standard megaraid driver will work -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote server management
Not sure if you were after comments or if there was a question in there somewhere but Intel whitebox servers offer the capabilities of a add-in server management card intergrated onto the motherboard and also have serial redirection over IP, so you can have full BIOS access from a remote lan station, not to mention they have VERY good hardware monitoring/management intergrated too (temps for procs, psu, MBD, HDD backplane etc, fan RPM's including fans in PSU's, voltages etc etc) Dave Micah Anderson wrote: Since we often have limited physical access to our machines, and our collective members are spread around the country, our holy grail is remote hardware administration. This could mean a lot of things. Mostly, we just need to: 1. power cycle computers remotely 2. access the bios and boot menu remotely This allows us to reboot if the machine crashes, boot from a different drive if the boot drive is toast, and allows people to pretty much install a complex system remotely (especially if we leave a rescue cd in the drive). Ever tried installing an LVM or software RAID or firewall remotely? It can be dicey! Access over IP is acceptable. In other words, we do not need a solution which is completely 'out of band' like a modem or radio link. Below are some notes on the research we have done. Any stories, experiences, or advice with this kind of stuff would be greatly appreciated. * Motherboards * Many motherboards support serial console (or 'console redirection'). This allows you to use the 'serial console buddy system' or terminal server to access the machine's main console and bios. With linux, you can access the console after the boot process has started, but doesn't get you very far so hardware support in the motherboard is also needed. In the past, we have had frustration with the quirks of serial console support (like it killing the real console). Boards which typically have serial console (serial redirection) support: Tyan http://tyan.com Supermicro http://supermicro.com Others ... * KVM over IP * These boxes convert the keyboard, video, and mouse to digital and route over an IP network. Wild stuff. Traditionally very expensive, newer products are making this affordable. American Megatrends has a new one supposedly available Q1 2004 which is super tiny, can support unlimited machines (when connected to a KVM), with an anticipated list price of $600. http://www.ami.com/kvm/. I think some you can ctr-alt-del over and some not(?). * Serial Console Buddy System * The idea is to have machines in pairs or more, connected to a partner's serial port. If one goes down, connect to it from the one which is (hopefully) still alive. You can use two serial cables for this, or one if you are tricky. It is sometimes difficult to find null modem cables with the correct pinout for serial consoles to work. * PCI Cards * Cards which add remote support to a motherboard without it: PC Weasel pumps video and keyboard through a serial port. needs an async terminal server, a buddy, or modem(?), to be truly remote includes remote reboot too. $250 for ISA $350 for PCI MegaRac G2 Lite (american megatrends) Serial over LAN, power control, remote bios. OS independent, no drivers. BIOS independent. client: web based ui (SSL) platform independent. Mostly intended for monitoring hardware through I2C or IPMI. Unsure about how robust the serial over lan is. $300, not available yet, but soon. * Terminal Server/Serial Concentrators * Not sure if there is a difference (or a similarity!) A hub for serial lines, so if you had a bunch of machines with serial consoles they could all be controlled in one place. pricey! some can route through ip(?), or to another machine, or a modem. * Real Servers * "Real servers," unlike the commodity stuff we use, have had serial console support since the beginning of time: Alphas, NetServers, etc. People on lists sometimes say they often buy this stuff without a video card at all and just use the serial console (through a terminal server). In addition to serial console, you can buy used on ebay for under $40 stuff like the "HP P1218A Netserver Remote Control Interface" which lets you reboot the system, flash the bios, and reconfigure hardware remotely. * Remote Reboot * Typically is has been pretty expensive to have a power strip which can be controlled remotely. Here are some affordable options: http://www.webreboot.net/ sells a little box for $250 that can connect to 8 machines through the reset connector on the motherboard. reboot from a web browser. http://www.wti.com/power.htm sells power strips which can be rebooted from a web browser ($600 for 5 plugs) or a control unit + satellite units setup ($350 for control unit + $200 per satellite). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian and SAN support
This seems to be another one http://www.sistina.com/products_gfs.htm Michael Loftis wrote: Yes but if you have need of sharing a single filesystem, on a single volume, you need a FS capable of such. --On Monday, February 09, 2004 18:33 -0600 Alex Borges <[EMAIL PROTECTED]> wrote: Im not shure i follow. If you've already got the SAN, why the need of a DFS? I thought it would just export you its volumes and youd see it as scsi devices? El lun, 09-02-2004 a las 14:44, J.J. van Gorkum escribió: Hi, Can sombody point me in the right direction for cluster Filesystem support (that will work on Debian) to be used in combination with a SAN? (Compaq MSA1000) I have found: - luster (clusterFS) the say they have support for Linux 2.4.x but the systenms segfault on vanilla 2.4.20 kernels... - gpfs (suspended by IBM due to the (soon) arrival of Storage Tank) - openGFS (but the project seems dead -- and segv on the DLM module) Keep in mind that running a Redhat kernel is NOT an option. -- JJ van Gorkum Knowledge Zone If UNIX isn't the solution, you've got the wrong problem. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Michael Loftis Modwest Sr. Systems Administrator Powerful, Affordable Web Hosting -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mondo and Debian
Christopher Davis wrote: Hello all! I've been switching from Red Hat to Debian the last 6 months and have become very partial to Mondo Rescue -- mondorescue.org for backups. This and Debian do not seem to like each other too much What types of software do you use to run backups on Debian servers to create iso bootable images? or...Even better -- any one know how to tweak Debian and Mondo? Thanks! Christopher Davis What exactly do you mean "do not seem to like each other too much"? Whilst I haven't tried these there are packages for this in stable and unstable, so one would image an "apt-get install mondo" would do the trick. Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fixed (hardisk) device names?
Arnd Vehling wrote: Hello, does anyone know how to fix the device name on a debian linux system? For example. If i have two IDE hardisks, the devices will be named like this. /dev/hda /dev/hdb If i now must remove the first harddisk (/dev/hda) the second (/dev/hdb) will be renamed to (/dev/hda) after the reboot. As i want /dev/hdb to be a mirror of /dev/hda and used as failover disk _without_ opening the case and tampering with the IDE bus setup, i want linux to keep the name /dev/hdb for the drive no matter what happens. Is this possible? Another question. How can i copy two identical discs _including_ the boot block? "dd if=/dev/hda of=/dev/hdb" doesnt do it and there are no raw devices on linux AFAIK. thx, Arnd I would suggest making hdb in this case Secondary master. That will mean it is always hdc no matter what happens. Some bios' don't like trying to boot from slave HDD's. Otherwise look at setting up a RAID mirror as has been suggested already -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
If I remember right (and someone correct me if I'm wrong) a mail server doesn't have to have an MX record. If no MX record exists then the sending server drops back to normal host records and this is perfectly legitimate. So the MX record checking may not work so well Pulu 'Anau wrote: To kind of get back to the ISP world a little bit, has anyone used this in the way that's being recommended? (Using the OS Fingerprint Netfilter patch to block Windows machines sending to port 25). We're currently getting slammed by Windows viruses and have thought about doing exactly that, but it seemed to us that there are enough people using Exchange or Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this would block legitimate mail almost instantly. We've just been blocking hosts manually after the first virus. I'm thinking about writing a little script to: 1. Get the offending IP address from amavis's logfile 2. Check against a whitelist (like our own backup mx's) 3. Do something like tcpping to the IP to see if it is a valid mx host 4. If it doesn't pass checks 2 or 3, block the IP in netfilter for 72 hours Other than the 72 hour checks it's pretty straightforward and seems (at least to me) very unlikely to stop legitimate mail, while cutting those guys who send 40-50 viruses a day down to 1 every three. Does anyone see any problems with the above? The major issue is bandwidth, some of our customers host their mail servers on 32K links with 200+ users. Sorry, it's not really about the spam issue discussed before, but it's strange the synchronicity (os fingerprinting anyway) between my work and this list sometimes. Pulu Afe.to ANTS POB 1478 Nuku'alofa, Tonga Ph: Country code 676 - 27946 or 878-1332 http://www.afe.to http://svcs.affero.net/rm.php?r=pulu Quoting Russell Coker <[EMAIL PROTECTED]>: On Fri, 9 Apr 2004 21:32, Arnt Karlsen <[EMAIL PROTECTED]> wrote: On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message http://www.netfilter.org/patch-o-matic/pom-base.html See the section on "osf" in the above URL for a better solution. Simply block Windows machines from accessing your port 25. ..if only all isp's did it... Not all ISPs need to do it. Only your ISP and the ISPs that host mailing lists that you subscribe to. If you are interested in this then the best thing you can do is to build yourself a kernel with osf and try it out. If it works well create a Debian kernel-patch package for it so that other Debian users can conveniently use it. The more accessible you make this to Debian people the closer it comes to being installed on Debian list servers... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] - This mail sent from Tonga's Premiere Internet Cafe Visit us online at http://www.cafe.afe.to discussions @ http://www.nomoa.com/index.php generic info @ http://www.tongatapu.net.to -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Snort and satable/testing
Hi All I'm after some suggestions as to the easiest way to run Snort (and keep it reasonable up to date), preferably without having to maintain it manually or upgrading from stable as this is a firewall and the security updates are important. Snort in stable is still at 1.84 and so can't even process any of the rules released these days. Ideas / suggestions? Thanks Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: relay protection for Postfix
Aaron Goulding wrote: > Okay, there's a lot of talk on -user about spam control, and I'd like > to make sure my own server is properly secured. Could anyone recomend > basic steps for Debian STABLE running Postfix for the MTA, to make > sure it's not being used as a relay point? I want to be able to > deliever mail from the box itself (to keep SquirrelMail working) but > other than that, no one should be able to deliver mail through my > machine. > > I figure this is a pretty simple item, and I'm just missing the steps > in the docs. Thanks in advance! > > -Aaron, Dreamchaos.net administrator > > I usually use this http://www.abuse.net/relay.html Does quite a number of tests and you can see the results in realtime -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: email server - how to
Andreas John wrote: > >> Best to use 2U machines with the maximum number of disks IMHO. A 2U >> machine should be able to have 5 disks. > > > I say: 9 Disks without problems. e.g. pcicase > http://www.pcicase.de/catalog/produktweb/IPC-C2-X/IPC-C2D.htm > > The question is with that many disks is a single raid 5 going to be enough redundancy... Thats an awful lot of data to loose if 2 drives fail. May be worth thinking about RAID6 or a couple of RAID5 arrays striped -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MySQL with temporary high load on shared server
Stefan Neufeind wrote: >Hi folks, > >does anybody have with MySQL running on a shared server, which gets temporary >high load? My problem is that a friend uses an online-shop on a shared-sytem. >No problem with that - but when he uses update-scripts to upload his >products/prices/... from scratch the system almost goes down due to heavy load. >There are about 10.000 products in the DB - not *so* much I always thought. >System performance degrades for other services (mail, ftp, ...) as well as >other users trying to access their databases. > >Has anybody got an idea? Please let me know urgently! > > >Kind regards, > Stefan Neufeind > > I would suggest looking at using a bulk insert procedure, this should significantly speed up the loading of the data. If memory serves you use LOAD DATA. Check the Mysql manual -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: lm-sensors support for SE7501BR2 ?
Marcin Owsiany wrote: >Hi! > >[ sorry for the cross-post, but both lists seem relevant ] > >I have an Intel SE7501BR2 server motherboard, and using lm-sensors >2.6.3-5+ only detects successfully four chips like this: (using eeprom >driver) > > * Bus `SMBus I801 adapter at 0580' (Non-I2C SMBus adapter) >Busdriver `i2c-i801', I2C address 0x51 >Chip `Serial EEPROM (PC-100 DIMM)' (confidence: 8) > >But does not find any thermal sensors. Has anyone had more luck with >such hardware? The manual says the sensors are managed by Heceta chip >U5F10, for which google finds no good hits. > >Marcin > > The Heceta chip is an Intel custom chip I believe that actively changes fan speeds based on temperatures. This includes chassis fans as well as CPU fans. It's also likely linked into the BMC on this board which will probably add another layer of complication to the equation thats already too complicated :-( -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: RAID-1 to RAID-5 online migration?
Ralph Paßgang wrote: >Am Donnerstag 02 September 2004 15:18 schrieb Mark Janssen: > > >>On Thu, 2004-09-02 at 13:43, Gavin Hamill wrote: >> >> >>>Hello - just a quickie :) >>> >>>If I construct a RAID1 with two 200GB disks, will I be able to add a >>>third disk and convert the whole set to a 400GB RAID5 later on by >>>logically removing the second disk from the RAID1 set? >>> >>> >>Nope... migrating to a different raid configuration wipes your disks >>So you'll have to backup, migrate and restore. >> >> > >Yes, but you can make something like this: > >remove one drive from the raid-1. You get an dregraded, but normal working >raid1 array. > >create a new raid5 for three disks, but you add only two disks to the raid5. >So you are building a dirty raid array, but this should works. (never tested >it myself with a raid5, only with a raid1) > >Now you can copy the data from your degraded raid1 to your new raid5. > >After that is done you can delete the old raid1 completly and add the now free >disk to the raid5... > >But be carefull, if you make something wrong you can loose all data, so making >a backup is of course the better and the secure way. > >--Ralph > > > > I've actually done this exact thing before and it worked flawlessly. Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Intel SR1325TP1-E & 3ware 9xxx RAID thoughts
Achim Schmidt wrote: >Am Do, 2004-10-14 um 22.01 schrieb Franz Georg Köhler: > > >>Isn't i2c supposed to be standardized? >> >> >> > >today i had to speak to their support and the hint given was to take the >redhats rpm and create a own deb using alien :/ Further i was told using >lm_senors or other tools using i2c won't work because the board is >optimized for ISM... > > The reason i2c won't work on these boards is because they use IPMI rather than i2c and have a BMC on them which does much more in the way of management than desktop type boards -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Intel SR1325TP1-E & 3ware 9xxx RAID thoughts
Henrique de Moraes Holschuh wrote: >On Fri, 15 Oct 2004, Dave Watkins wrote: > > >>The reason i2c won't work on these boards is because they use IPMI >>rather than i2c and have a BMC on them which does much more in the way >>of management than desktop type boards >> >> > >Well, if it is anything like SE750x boards, you need to first setup the >entire BMC system using the Intel CD (that runs Windows :P) before it >will do anything useful. > >After that is done, you *can* access the sensor data though IPMI, and even >reconfigure the BMC from Linux. There is even an lm-sensors module for >accessing IPMI sensor data. It is slow, but it works. Mostly :P > >I don't recall where I found the IPMI sensor module anymore, though. >Maybe it is even packaged in sid/sarge nowadays. I think it was OpenIPMI >or something like that. > > > The 1325 should already be setup properly as the board is custom to the chassis and that the only way the system is sold.. Also the CD is self booting and doesn't require windows to setup anyway. You have to flash the BMC and set it up that way and configure the password for acces via the bootable CD. This will also install the "Service Partition" Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spec-ing/dimensioning a server?
Hi Neale I would look at changing a few things here. Of course these depend on the budget avaliable and the uptime required from the server. I would look at getting a different CPU, specifically an 800MHz FSB CPU. The 2.4C should be the same price if not cheaper and will give you the same or better performance (this also takes advantage of the memory you are installing as the CPU and memory have to run in sync on Intel chipset boards). You may also want to look at an 875 chipset motherboard as this will give you the capability to run ECC memory and I would recommend it for a server. Again the price defference shouldn't be too much, although the ECC mem may cost a bit more in my opinion it would be worth it for the piece of mind. This may be counter acted if you can get a board with on-board video as you can then do away with the video card (something like this http://www.intel.com/design/servers/s875wp1-e/) Since HDD space doesn't seem to be a concern it may be worth looking at the Raptor series of drives from WD. They are S-ATA drives which may be a problem with the RAID card you're using and they will cost you more, but they give you 10,000 RPM drives built for enterprise class use (5 year warranty and high MTBF) Finally worth considering is redundant power if this box needs a high uptime, although this is usually a sizable jump in price and if you can live with a little downtime then it's probably not worth the price. Especially if you can connect the machine to an On-line UPS. Hmm this became longer than I expected :-) Hope it helps Dave Neale Banks wrote: Hi all, As part of a project I'm involved in, we need to deploy a new server (ia32, FWIW: running Debian "sarge") to run a MySQL database (SME-sized, moderate complexity but not particularly large) + Java Application. I figure that upgradability probably isn't a big issue here, as the obvious path is to deploy a second machine and separate the SQL and java onto separate hosts. A spec being considered includes: DFI PS83BL Intel 865 Chipset Hyper Threading Main Board (H/Threading, 800MHz FSB, AGP 8x, DDR400, 6-channel audio, S/PDIF-in/out, SATA, LAN, USB 2.0) Pentium 4 2.66GHz (533Mhz) CPU 2 x 512MB DDR400 Memory 3Ware 7506-4LP ATA 133 RAID Controller 2 x 40GB WD JB-series IDE HDD (7200RPM, 8MB Cache) (disks to run mirrored) Geoforce2 MX400 64MB DDR Graphics Card 52x IDE CDROM (usual bits: FDD, k/board etc) Anyone care to comment at to the appropriateness of the above spec (i.e. strengths, weaknesses, over/under-kill etc), in particular in terms of value-for-money? Thanks, Neale.
Re: spec-ing/dimensioning a server?
Mark Ferlatte wrote: Nate Duehr said on Tue, Nov 25, 2003 at 09:13:48AM -0700: Agreed on the "as fast a CPU as you can afford" and the 10K RPM disk comments. However I'm not a huge fan of SATA yet. There's been quite a bit of discussion on various mailing lists of people having trouble with them. I'm old-school and would prefer the more expensive SCSI SCA-connector'ed disks in most of the servers I have spec'ed. Which lists? I've had a hell of a time with SCSI SCA connected disks; a single bad SCSI disk can wipe out the whole chain, whereas with SATA that seems to be less likely. I'd be interested in hearing about SATA ickyness, though; from what I've seen, it seems like a good thing. SCA connected disks run through a backplane which should prevent this happening. I would have also suggested SCSI but it seemed price was an issue and this would have certainly been expensive when coupled with a RAID card I tend to lean toward motherboards with a real serial port on them also, as you can configure a serial console to come up on one of them and use that from a laptop or what-have-you when you go to do maintenance instead of lugging a monitor/keyboard over to it. But they're getting harder to find. Not if you get a real server board; the newer Intel based ones have BIOS access via the serial console. :) Actually they also have BIOS access via LAN. :-) Dave
Re: spec-ing/dimensioning a server?
Mark Ferlatte wrote: Dave Watkins said on Wed, Nov 26, 2003 at 06:38:39PM +1300: Mark Ferlatte wrote: Which lists? I've had a hell of a time with SCSI SCA connected disks; a single bad SCSI disk can wipe out the whole chain, whereas with SATA that seems to be less likely. I'd be interested in hearing about SATA ickyness, though; from what I've seen, it seems like a good thing. SCA connected disks run through a backplane which should prevent this happening. I would have also suggested SCSI but it seemed price was an issue and this would have certainly been expensive when coupled with a RAID card I can say from experience that this is not guaranteed. I've had an SCA system explode from inserting a faulty replacement disk just recently. It sucked. I am still curious to know of places where people talk about this sort of thing; though. At this point, SATA seems like the best option. If you've got them in an Intel Server Chassis try firmware updates to the HS backplane and perhaps RAID card Not if you get a real server board; the newer Intel based ones have BIOS access via the serial console. :) Actually they also have BIOS access via LAN. :-) Really? Mine don't, but that doesn't suprise me. How does it work? Depend on the board and the version of ISM (al 5.x.x version support it from memory) installed but it's a component in ISM. It's also worth mentioning that only the first LAN port can support it and if you have that teamed then it won't work. The only problem I've seen is that there is a noticable delay and if you're trying to get into the BIOS you need to be pressing F2 before you even see the screen come up but thats easy to work around :-) Dave
Re: Exim accepting mail from specific hosts
Configuring Exim to do this would seem like a bad idea, in that your machine then has to accept a connection to determine if you do in fact even want to accept the mail. Ideally you would get the MX record for your domain pointing to your providers mail server (with perhaps a backup MX pointing to yours. That way under normal conditions mail will be routed through your providers mail servers unless they are down, and if they are down it will be routed to you. This will probably require some configuration changes on your providers servers but nothing major (just a routing line in a config file). The other option would be to firewall off port 25 for inbound traffic unless it came from your providers mail server, although this is much less elegant Dave Adam Dawes wrote: Hi, I've implemented a spam service where a provider is filtering all my domain's mail before it hits my server. I want to lock down my mail server so it only accepts mail from those machines to prevent spammers from mailing directly to my host and doing directory harvests. What do I need to stick in my exim.conf to accept mail from just those hosts that will be processing my mail? thanks, Adam
Re: Exim accepting mail from specific hosts
Adam Dawes wrote: Yes, that was part of the plan, to point my mx records to my provider. Therefore, any connections to my port 25 should be from only folks that are port scanning (sounds like a spammer to me). Think this is best done as a firewall issue or via David's host_reject option? thanks, Adam Dave Watkins wrote: Configuring Exim to do this would seem like a bad idea, in that your machine then has to accept a connection to determine if you do in fact even want to accept the mail. Ideally you would get the MX record for your domain pointing to your providers mail server (with perhaps a backup MX pointing to yours. That way under normal conditions mail will be routed through your providers mail servers unless they are down, and if they are down it will be routed to you. This will probably require some configuration changes on your providers servers but nothing major (just a routing line in a config file). The other option would be to firewall off port 25 for inbound traffic unless it came from your providers mail server, although this is much less elegant Dave Depends on what logging you want (or more precisly where you want it logged) and the load you can handle. Also perhaps how often and how many other connections you will want to allow (if any). If you want to log all the failed connections and don't want another log to go through to see who's trying to connect then obviously letting exim do it would be preferable, this is assuming your machine can handle the load of spawning exim processes for no real purpose other than logging but I don't think that would be a problem. This would also be better if you want to allow some server(s) to connect directly otherwise you will have to maintain firewall setup that will get more and more complicated as the number of allowed hosts increases. If you're not concerned about logging or are happy to log to another file, and you won't be recieving mail from anyone other than this single host then a firewall would probably be the better option. Dave Adam Dawes wrote: Hi, I've implemented a spam service where a provider is filtering all my domain's mail before it hits my server. I want to lock down my mail server so it only accepts mail from those machines to prevent spammers from mailing directly to my host and doing directory harvests. What do I need to stick in my exim.conf to accept mail from just those hosts that will be processing my mail? thanks, Adam
Re: ftp server
Robert Cates wrote: Hi, I'm hoping someone on this list can help me with an FTP server issue. I'm running a handful of Internet services on my ADSL line - DNS, Web, e-Mail, and FTP servers. All seem to be running fine, very fast as well, but the FTP server is very slow, e.g. first logging on is quite slow, and with every request to change directories takes unusually long. Also, the problem seems to occur only from the Internet, i.e. from outside my firewall - a Linksys Gateway/Router with Firewall. Is this an FTP server issue ( should I change my FTP server - WU-FTPD )? If not server specific, maybe in the configuration? Or more to do with my firewall settings? I suspect I may need to move the machine to the DMZ port, but before I do I was hoping somebody may have a better solution ( I don't know for sure if the DMZ will solve the problem, and I'd rather not use the DMZ ). Thank you very much in advance for your help! Robert It almost sounds like a reverse DNS issue although I would only expect that when the inital connection was made. Although in saying that FTP is an odd protocol at the best of times and it may be trying to get R-DNS info everytime a new command channel is opened. If your FTP server is using an internal DNS server make sure it is forwarding queries it can't answer onto another server that can. If the transfers to and from the FTP server are slow as well then it is obviously something else. You could also try disabling R-DNS lookups on the FTP server to see if that improves things Dave
Re: Intel SRCU42X SCSI RAID contoller
Sebastiaan wrote: Hi, On Wed, 28 Jan 2004, Marcin Owsiany wrote: Hi! Forgive me the cross-post, but this is rather urgent for me :-/ Does anyone know if the Debian kernel in woody-proposed-updates (2.4.22) supports Intel SRCU42X SCSI RAID contoller? Intel's web page says that it is supported by Suse and RH, but they make a binary driver available for download (megaraid.o). The source is included, so probablu it the same as in stock kernel, but could anyone confirm this? Not sure. I can't find it in the official kernel 2.4.23 (www.kernel.org), or I am looking over it. What I can find is a driver with the same module name: CONFIG_SCSI_MEGARAID: This driver supports the AMI MegaRAID 418, 428, 438, 466, 762, 490, 467, 471 and 493 SCSI host adapters. This is the old and very heavily tested driver but lacks features like clustering. If you want to compile this driver as a module ( = code which can be inserted in and removed from the running kernel whenever you want), say M here and read Documentation/modules.txt. The module will be called megaraid.o. - Either this module is compatible with your mega raid, or suse and rh gave a very poor name. I have looked to the kernel patches, but I could not find information about CONFIG_SCSI_MEGARAID, so I assume it is disabled by default. If you don't need to boot from your controller, you can compile the module afterwards, otherwise a module isn't good enough and you should compile your custom kernel before installation. FYI This card is HEAVILY based or the LSI reference card that Megaraid uses so there is a good chance the standard megaraid driver will work
Re: Remote server management
Not sure if you were after comments or if there was a question in there somewhere but Intel whitebox servers offer the capabilities of a add-in server management card intergrated onto the motherboard and also have serial redirection over IP, so you can have full BIOS access from a remote lan station, not to mention they have VERY good hardware monitoring/management intergrated too (temps for procs, psu, MBD, HDD backplane etc, fan RPM's including fans in PSU's, voltages etc etc) Dave Micah Anderson wrote: Since we often have limited physical access to our machines, and our collective members are spread around the country, our holy grail is remote hardware administration. This could mean a lot of things. Mostly, we just need to: 1. power cycle computers remotely 2. access the bios and boot menu remotely This allows us to reboot if the machine crashes, boot from a different drive if the boot drive is toast, and allows people to pretty much install a complex system remotely (especially if we leave a rescue cd in the drive). Ever tried installing an LVM or software RAID or firewall remotely? It can be dicey! Access over IP is acceptable. In other words, we do not need a solution which is completely 'out of band' like a modem or radio link. Below are some notes on the research we have done. Any stories, experiences, or advice with this kind of stuff would be greatly appreciated. * Motherboards * Many motherboards support serial console (or 'console redirection'). This allows you to use the 'serial console buddy system' or terminal server to access the machine's main console and bios. With linux, you can access the console after the boot process has started, but doesn't get you very far so hardware support in the motherboard is also needed. In the past, we have had frustration with the quirks of serial console support (like it killing the real console). Boards which typically have serial console (serial redirection) support: Tyan http://tyan.com Supermicro http://supermicro.com Others ... * KVM over IP * These boxes convert the keyboard, video, and mouse to digital and route over an IP network. Wild stuff. Traditionally very expensive, newer products are making this affordable. American Megatrends has a new one supposedly available Q1 2004 which is super tiny, can support unlimited machines (when connected to a KVM), with an anticipated list price of $600. http://www.ami.com/kvm/. I think some you can ctr-alt-del over and some not(?). * Serial Console Buddy System * The idea is to have machines in pairs or more, connected to a partner's serial port. If one goes down, connect to it from the one which is (hopefully) still alive. You can use two serial cables for this, or one if you are tricky. It is sometimes difficult to find null modem cables with the correct pinout for serial consoles to work. * PCI Cards * Cards which add remote support to a motherboard without it: PC Weasel pumps video and keyboard through a serial port. needs an async terminal server, a buddy, or modem(?), to be truly remote includes remote reboot too. $250 for ISA $350 for PCI MegaRac G2 Lite (american megatrends) Serial over LAN, power control, remote bios. OS independent, no drivers. BIOS independent. client: web based ui (SSL) platform independent. Mostly intended for monitoring hardware through I2C or IPMI. Unsure about how robust the serial over lan is. $300, not available yet, but soon. * Terminal Server/Serial Concentrators * Not sure if there is a difference (or a similarity!) A hub for serial lines, so if you had a bunch of machines with serial consoles they could all be controlled in one place. pricey! some can route through ip(?), or to another machine, or a modem. * Real Servers * "Real servers," unlike the commodity stuff we use, have had serial console support since the beginning of time: Alphas, NetServers, etc. People on lists sometimes say they often buy this stuff without a video card at all and just use the serial console (through a terminal server). In addition to serial console, you can buy used on ebay for under $40 stuff like the "HP P1218A Netserver Remote Control Interface" which lets you reboot the system, flash the bios, and reconfigure hardware remotely. * Remote Reboot * Typically is has been pretty expensive to have a power strip which can be controlled remotely. Here are some affordable options: http://www.webreboot.net/ sells a little box for $250 that can connect to 8 machines through the reset connector on the motherboard. reboot from a web browser. http://www.wti.com/power.htm sells power strips which can be rebooted from a web browser ($600 for 5 plugs) or a control unit + satellite units setup ($350 for control unit + $200 per satellite).
Re: Debian and SAN support
This seems to be another one http://www.sistina.com/products_gfs.htm Michael Loftis wrote: Yes but if you have need of sharing a single filesystem, on a single volume, you need a FS capable of such. --On Monday, February 09, 2004 18:33 -0600 Alex Borges <[EMAIL PROTECTED]> wrote: Im not shure i follow. If you've already got the SAN, why the need of a DFS? I thought it would just export you its volumes and youd see it as scsi devices? El lun, 09-02-2004 a las 14:44, J.J. van Gorkum escribió: Hi, Can sombody point me in the right direction for cluster Filesystem support (that will work on Debian) to be used in combination with a SAN? (Compaq MSA1000) I have found: - luster (clusterFS) the say they have support for Linux 2.4.x but the systenms segfault on vanilla 2.4.20 kernels... - gpfs (suspended by IBM due to the (soon) arrival of Storage Tank) - openGFS (but the project seems dead -- and segv on the DLM module) Keep in mind that running a Redhat kernel is NOT an option. -- JJ van Gorkum Knowledge Zone If UNIX isn't the solution, you've got the wrong problem. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Michael Loftis Modwest Sr. Systems Administrator Powerful, Affordable Web Hosting
Re: Fixed (hardisk) device names?
Arnd Vehling wrote: Hello, does anyone know how to fix the device name on a debian linux system? For example. If i have two IDE hardisks, the devices will be named like this. /dev/hda /dev/hdb If i now must remove the first harddisk (/dev/hda) the second (/dev/hdb) will be renamed to (/dev/hda) after the reboot. As i want /dev/hdb to be a mirror of /dev/hda and used as failover disk _without_ opening the case and tampering with the IDE bus setup, i want linux to keep the name /dev/hdb for the drive no matter what happens. Is this possible? Another question. How can i copy two identical discs _including_ the boot block? "dd if=/dev/hda of=/dev/hdb" doesnt do it and there are no raw devices on linux AFAIK. thx, Arnd I would suggest making hdb in this case Secondary master. That will mean it is always hdc no matter what happens. Some bios' don't like trying to boot from slave HDD's. Otherwise look at setting up a RAID mirror as has been suggested already
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
If I remember right (and someone correct me if I'm wrong) a mail server doesn't have to have an MX record. If no MX record exists then the sending server drops back to normal host records and this is perfectly legitimate. So the MX record checking may not work so well Pulu 'Anau wrote: To kind of get back to the ISP world a little bit, has anyone used this in the way that's being recommended? (Using the OS Fingerprint Netfilter patch to block Windows machines sending to port 25). We're currently getting slammed by Windows viruses and have thought about doing exactly that, but it seemed to us that there are enough people using Exchange or Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this would block legitimate mail almost instantly. We've just been blocking hosts manually after the first virus. I'm thinking about writing a little script to: 1. Get the offending IP address from amavis's logfile 2. Check against a whitelist (like our own backup mx's) 3. Do something like tcpping to the IP to see if it is a valid mx host 4. If it doesn't pass checks 2 or 3, block the IP in netfilter for 72 hours Other than the 72 hour checks it's pretty straightforward and seems (at least to me) very unlikely to stop legitimate mail, while cutting those guys who send 40-50 viruses a day down to 1 every three. Does anyone see any problems with the above? The major issue is bandwidth, some of our customers host their mail servers on 32K links with 200+ users. Sorry, it's not really about the spam issue discussed before, but it's strange the synchronicity (os fingerprinting anyway) between my work and this list sometimes. Pulu Afe.to ANTS POB 1478 Nuku'alofa, Tonga Ph: Country code 676 - 27946 or 878-1332 http://www.afe.to http://svcs.affero.net/rm.php?r=pulu Quoting Russell Coker <[EMAIL PROTECTED]>: On Fri, 9 Apr 2004 21:32, Arnt Karlsen <[EMAIL PROTECTED]> wrote: On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message http://www.netfilter.org/patch-o-matic/pom-base.html See the section on "osf" in the above URL for a better solution. Simply block Windows machines from accessing your port 25. ..if only all isp's did it... Not all ISPs need to do it. Only your ISP and the ISPs that host mailing lists that you subscribe to. If you are interested in this then the best thing you can do is to build yourself a kernel with osf and try it out. If it works well create a Debian kernel-patch package for it so that other Debian users can conveniently use it. The more accessible you make this to Debian people the closer it comes to being installed on Debian list servers... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] - This mail sent from Tonga's Premiere Internet Cafe Visit us online at http://www.cafe.afe.to discussions @ http://www.nomoa.com/index.php generic info @ http://www.tongatapu.net.to
Snort and satable/testing
Hi All I'm after some suggestions as to the easiest way to run Snort (and keep it reasonable up to date), preferably without having to maintain it manually or upgrading from stable as this is a firewall and the security updates are important. Snort in stable is still at 1.84 and so can't even process any of the rules released these days. Ideas / suggestions? Thanks Dave
Re: relay protection for Postfix
Aaron Goulding wrote: > Okay, there's a lot of talk on -user about spam control, and I'd like > to make sure my own server is properly secured. Could anyone recomend > basic steps for Debian STABLE running Postfix for the MTA, to make > sure it's not being used as a relay point? I want to be able to > deliever mail from the box itself (to keep SquirrelMail working) but > other than that, no one should be able to deliver mail through my > machine. > > I figure this is a pretty simple item, and I'm just missing the steps > in the docs. Thanks in advance! > > -Aaron, Dreamchaos.net administrator > > I usually use this http://www.abuse.net/relay.html Does quite a number of tests and you can see the results in realtime
Re: email server - how to
Andreas John wrote: > >> Best to use 2U machines with the maximum number of disks IMHO. A 2U >> machine should be able to have 5 disks. > > > I say: 9 Disks without problems. e.g. pcicase > http://www.pcicase.de/catalog/produktweb/IPC-C2-X/IPC-C2D.htm > > The question is with that many disks is a single raid 5 going to be enough redundancy... Thats an awful lot of data to loose if 2 drives fail. May be worth thinking about RAID6 or a couple of RAID5 arrays striped
Re: MySQL with temporary high load on shared server
Stefan Neufeind wrote: >Hi folks, > >does anybody have with MySQL running on a shared server, which gets temporary >high load? My problem is that a friend uses an online-shop on a shared-sytem. >No problem with that - but when he uses update-scripts to upload his >products/prices/... from scratch the system almost goes down due to heavy >load. >There are about 10.000 products in the DB - not *so* much I always thought. >System performance degrades for other services (mail, ftp, ...) as well as >other users trying to access their databases. > >Has anybody got an idea? Please let me know urgently! > > >Kind regards, > Stefan Neufeind > > I would suggest looking at using a bulk insert procedure, this should significantly speed up the loading of the data. If memory serves you use LOAD DATA. Check the Mysql manual
